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Abstract 

We investigate the interactions of subtyping and recursive types, in a simply 
typed X-calculus. The two fundamental questions here are whether two (recursive) 
types are in the subtype relation, and whether a term has a type. 

To address the first question, we relate various definitions of type equivalence 
and subtyping that are induced by a model, an ordering on infinite trees, an 
algorithm, and a set of type rules. We show soundness and completeness between 
the rules, the algorithm, and the tree semantics. We also prove soundness and a 
restricted form of completeness for the model. 

To address the second question, we show that to every pair of types in the 
subtype relation we can associate a term whose denotation is the uniquely 
determined coercion map between the two types. Moreover, we derive an 
algorithm that, when given a term with implicit coercions, can infer its least type 
whenever possible. 
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1. Introduction 

Subtyping is an inclusion relation between types that is present to some degree in many 
programming languages. Subtyping is especially important in object-oriented languages, where it 
is crucial for understanding the much more complex notions of inheritance and subclassing. 

Recursive types are also present in most languages. These types are supposed to unfold 
recursively to match other types. Moreover, unfolding must preserve typing soundness and not 
cause the compiler to diverge. 

In this paper we investigate the interaction of unrestricted recursive types with subtyping. 
This interaction is present in some modern languages based on structural type matching (where 
type equality or subtyping is determined by some abstract type structure, and not by how types 
are syntactically presented). In the past, recursive types have often been restricted by other 
language features; for example by explicit unfolding in ML, and by name matching in Modula-2. 
Algol68 was the first language to rely on a structural type equality algorithm for recursive types. 
Thereafter name matching became popular, largely because it is easier to implement but also 
because it prevents accidental matches based on type structure. 

Name-matching determines type equality by relying, at least partially, on the names assigned 
to types in a given program, instead of on their structure. With name matching, recursive analysis 
can stop at occurrences of type names. Unfortunately there is no general definition of name 
matching; each language, and sometimes each compiler, implements it slightly differently. Types 
with the same meaning (in the eye of the programmer) may or may not be equated in different 
runs of the compiler, depending on irrelevant textual perturbations that affect the name matching 
rules. 

The inconsistency of name-matching rules becomes a problem in distributed environments, 
where type definitions and data may migrate outside the compiler or program run in which they 
are created. Types and data should have a meaning independent of particular runs, hence 
languages such as Modula-3 [22] and other experimental languages such as Amber [10] and 
Quest [9, 12] concerned with data persistence and data migration, have again adopted structural 
matching. Since these languages also rely on subtyping, structural subtyping becomes an issue. 
Because of various language design issues, Modula-3 restricts itself to structural equivalence plus 
a limited form of structural subtyping; in this paper we deal with the unrestricted combination of 
recursion and subtyping, which forms the basis of Amber and Quest. 

With this motivation, we investigate type systems with recursive types and subtyping, and the 
related problems of structural matching and structural subtyping. Structural matching techniques 
are well known, and have strong connections with well-understood theoretical concepts. 
Structural subtyping is a much newer subject. We provide the first complete theory of recursive 
subtypes that leads naturally to an effective type theory and to typechecking algorithms. In 
practice it is easy to adapt algorithms for structural typing to structural subtyping (although to our 
knowledge, this was first done in Amber), but formalizing the type rules and the proofs of 
correctness of the algorithms is more challenging. We show that both our algorithm and our type 
rules are complete with respect to a natural notion of subtyping. 
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In the rest of the introduction we provide the basic intuitions about recursive subtypes, and 
we illustrate the main problems along with several non-solutions. Section 2 formalizes the syntax 
of a basic calculus with recursive types and section 3 introduces a subtyping relation based on a 
tree ordering. Section 4 describes a subtyping algorithm, and section 5 describes the correspon- 
ding type rules. A partial equivalence relation model is given in section 6. Finally, section 7 
relates subtyping to type coercions. 

1.1 Types 

A type, as normally intended in programming languages, is a collection of values sharing a 
common structure or shape. Examples of basic types are: Unit, the trivial type containing a single 
element, and Int, the collection of integer numbers. Examples of structured types are: Int— >Int, 
the functions from integers to integers; Intxlnt, the pairs of two integers; and Unit+Int, the 
disjoint union of Unit and Int consisting of either a unit value marked "left" or an integer marked 
"right" (given two arbitrary but distinct marks). 

A recursive type is a type that satisfies a recursive type equation. Common examples are: 

Tree = Int + (TreexTree) 
the collection of binary trees with integer leaves, and: 
List = Unit + (IntxList) 

the collection of lists of integers. Note that these are not definitions of Tree and List; they are 
equational properties that any definition of Tree and List must satisfy. 

There are also useful examples of recursion involving function spaces, typical of the object- 
oriented style of programming: 

Cell = (Unit->Int) x (Int->Cell) x (Cell->Cell) 

A Cell is interpreted as the collection of integer-containing memory cells, implemented as triples 
of functions read: Unit— >Int, write: Int— >Cell, and add: Cell— >Cell. In each of these functions the 
current cell is implicit, so for example add needs only to receive another cell in order to perform 
a binary addition. 

Recursive types can hence be described by equations, and we shall see that in fact they can be 
unambiguously defined by equations. To see this, we need some formal way of reasoning about 
the solutions of type equations. These formal tools become particularly useful if we start 
examining problematic equations such as t = t, s = sxs, r = r— >r, etc., for which it is not clear 
whether there are solutions or whether the solutions are unique. 

It is appealing to set up sufficient conditions so that type equations have canonical solutions. 
Then, if we have an equation such as t = Unit+(Intxt), we can talk about the solution of the 
equation. Such a canonical solution can then be indicated by a term such as (it.Unit+(Intxt); the 
type t that is equal to Unit+(Intxt). Here (it.a is a new type construction just introduced for 
denoting canonical solutions. 

To say that L = (it.Unit+(Intxt) (where = means equal by definition) is the solution of the 
List equation, implies that L must satisfy the equation; that is, L = Unit+(IntxL) must be 
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provable. This requirement suggests the most important rule for the (it.a construction, which 
amounts to a one-step unfolding of the recursion: 

(it.a = [ut.a/t]a 

meaning that (it.a is equal to a where we replace t by (it.a itself. In our example we have: 
L = (it.Unit+(Intxt) = [L/t](Unit+(Intxt)) = Unit+(IntxL) 

which is the equation we expected to hold. 

Having discussed recursive types, we now need to determine when a value belongs to a 
recursive type. The rule above for (it.a allows us to expand recursive types arbitrarily far, for a 
finite number of expansions. Hence, we can postulate that a finite value belongs to a recursive 
type if it belongs to one of its finite expansions according to the ordinary typing rules. That is, we 
push the troublesome (i's far enough until we no longer need to consider them. 

However, if the values are not finite, for example if they are defined recursively, we may not 
be able to push the (i's out of the way. In that case, we need to provide adequate notions of finite 
approximations of values and types, and postulate that a value belongs to a type when every 
approximation of the value belongs to some approximation of the type. An approximation a n of a 
type expression a is an appropriate truncation of a at depth n, hence it is different from an 
unfolding. This will be made precise in later sections. 

1.2 Subtypes 

If types are collections of values, subtypes should be subcollections. For example, we can 
introduce two new basic types ± (bottom), the collection containing only the divergent 
computation, and T (top), the collection of all values. Then ± should be a subtype of every type, 
and every type should be a subtype of T. We write these relations as ±<a and a<T. 

Function spaces a— >|3 have a subtyping rule that is antimonotonic in the first argument. That 

is, 

a^(3<a'^(3' if a'<a and (3<p' 

For example, if Nat < Int, and f: Int— >Cell stores an integer into a cell, then f is also willing to 
store a natural number into a cell, that is f: Nat— >Cell. Hence, it is sound to have Int— >Cell < 
Nat— >Cell, but not the opposite. This antimonotonic rule is familiar in object-oriented 
programming, where it is one of the main considerations for the correct typechecking of 
methods. 

Adequate subtyping rules can be found for all the other type constructions we may have. For 
example, for products we have ax(3 < a'x(3' if a<a' and (3<(3'. Similarly, for disjoint unions we 
have a+(3 < a'+(3' if a<a' and (3<(3'. 

What is, then, subtyping for recursive types? The intuition we adopt is that two recursive 
types a and (3 are in the subtype relation if their infinite unfoldings also are in this relation, in 
some appropriate sense. We might at first just consider finite unfoldings a + of a type a, and 
require that "a < (3 if for every a + of a there is a (3+ of (3 with a + < (3 + ". However, we shall see 
shortly that this condition is not strong enough. Hence, we insist on inclusion of infinite 
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unfoldings. This is made precise by the notion, mentioned above, of finite approximations oc n of 
a type a, and by defining "a < (3 if, for every n, a n < (3 11 ". 

Unfortunately, the formal subtyping rules for recursive types and the related algorithms 
cannot rely on approximations, since "oc^P 11 for every n" involves testing an infinite number of 
conditions. The subtyping rules should rely instead on "finitary" rules, and it is therefore not so 
obvious how to invent a collection of rules that achieve the desired effect. For example, a first 
idea might be simply to say that: 



where t may occur free in a and (3. By this we can show that, for example, (it. t— >t < (it. ±— >t, 
just from the assumption that t<t. Unfortunately we also have: 



and these are not subtypes: the first ± on the left and the first T on the right are in the wrong 
inclusion relation (t<±), being in antimonotonic position. 

The problem with rule (1) comes from the negative occurrences (on the left of an odd number 
of — >'s) of the recursion variable. In fact rule (1) is sound for types that are monotonic in the 
recursion variable. 

A correct (and finitary) rule for inclusion of recursive types is instead the following: 



where s occurs only in a, and t occurs only in (3. That is, if by assuming the inclusion of the 
recursive variables we can verify the inclusion of the bodies, then we can deduce the inclusion of 
the recursive types. (It is interesting to check how subtyping now fails on the example above.) 
Going back to the List example, if we have Nat<Int and: 

NatList = (is. Unit+(Natxs) 
IntList = (it. Unit+(Intxt) 

then we can safely deduce NatList<IntList from rule (2) since s<t implies Unit+(Natxs) < Unit+ 
(Intxt). 

On the other hand, the Cell example does not work as smoothly. 

NatCell = (is. (Unit-»Nat) x (Nat->s) x (s->s) 
IntCell = (it. (Unit-»Int) x (Int^t) x (t-»t) 

Here we cannot conclude NatCell<IntCell from rule (2), because of antimonotonicity: both the 
inclusion of the second component (write) and the inclusion of the third (add) fail. This is 
however not a deficiency of rule (2); such a conclusion would be unsound. For example, a 
NatCell might have a write function of type Nat— >NatCell that fails on negative numbers. If such 
a cell were considered as an IntCell, it would be possible to pass a negative integer to this write 
and cause it to fail. These issues are related to the typechecking of object types in object-oriented 
languages, and are discussed at length in [15] and [8]. 



if a < (3 then (it.a < (it.(3 



(1) 




(s<t =>a<|3) => |is.a<(it.(3 



(2) 
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1.3 Equality of Recursive Types 

We need now to consider strong notions of equality of recursive types. This is necessary 
because the rule (2) above is weak in some areas; for example, we cannot deduce directly from it 
that: 

(it.t— >t <|is.s— >s 

because this would require assuming both s<t and t<s. The combination of rule (2) and equality 
rules will finally give us all the power we need. 

To check whether two recursive types (is. a' and (it. (3' are equivalent, we could assume s=t, 
and attempt to prove a'=(3' under this assumption. This would work for (it. t— >t and (is. s— >s. But 
now consider the types: 

a = (is.Int^s (3 = (it.Int^Int^t 

They both expand infinitely into Int— >Int— >Int— >Int— >..., and they also have the same set of 
values (for example, recursive terms like (if. Ax:Int. f). However, the assumption s=t does not 
show Int— >s = Int— >Int— >t; we get stuck on the question whether s = Int— >t. 

Another attempt might involve expanding the ji's, but unfortunately we cannot expand them 
out of existence. By unfolding alone we can get only: 

a = (is.Int— >s = Int— >(|is.Int— >s) = Int— >Int^>(|is.Int— >s) = Int— >Int— >a 
(3 = (it.Int^Int^t = Int-^Int^((it.Int^Int^t) = Int-^Int^(3 

which after a few unfoldings leaves us with the original problem of determining whether a=(3. 
This is what we meant earlier by the insufficiency of "a < |3 if for every expansion a + of a there 
is a (3+ of (3 with oc+ < (3+". 

In fact, we seem to have made some progress here; we have come back to the original 
question oc=(3 only after analyzing the entire structure of a and (3. It seems that we should then be 
able to conclude that a=(3, because a complete analysis of a and |3 has found no contradiction. 
This kind of reasoning is possible but it has to be carefully justified, and in general we need to 
determine the conditions under which this stronger notion of equality does not lead to a circular 
argument. 

Note that in the process above we have found a single context C[X] = Int— >Int— >X such that 
a = C[a] and (3 = C[(3]; that is, both a and (3 are fixpoints of C. We shall be able to show that all 
the non-trivial (formally, contractive) type contexts C[X] have unique fixpoints over infinite 
trees, and therefore if they have two fixpoints these must be equal. Hence, the necessary rule for 
determining type equality can be formulated as follows: 

a = C[a] a (3 = C[(3] a C contractive ^> a = (3 (3) 

It remains to be shown how to generate contractive contexts that allow us to equate any two 
types that have equal infinite expansions. This can be done via an algorithm, and in fact a natural 
one. We will show that this algorithm is sound (it will not equate types with different infinite 
expansions) and complete (it will equate all types that have equal infinite expansions). Such 
proofs of correctness of algorithms are among our major goals here, but first we need to carefully 
develop a formal framework. 
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1.4 Sub typing of Recursive Types 

The problem of equating recursive types such as a and (3 above can be related to well-known 
solvable problems, such as the equivalence of finite- state automata. However, the similar 
problem for subtyping has no well-known parallel. Take, for example: 

Y = |is.Int->s 8 = |it.Nat^Nat->t 

Again, looking at the infinite expansions we obtain y= Int—>Int —>..., and 8 = Nat— >Nat— >..., from 
which we would like to deduce y<8 by antimonotonicity. But what are the exact rules? Attempts 
to unfold y and 8 fall into the same difficulties as before. 

The strategy here is to reduce the subtyping problem to an equality problem, which we solve 
by rule (3), plus rule (2). That is, we first show that 8' = jj,tNat-»t = ntNat-jNat-»t = 8. After 
that, we can use rule (2) to show y<8, and hence y<8. 

Initially, this strategy suggests a two-step algorithm that first synchronizes the recursions in 
some appropriate way, and then uses rule (2) without additional folding/unfolding. Instead, we 
present an algorithm that tests subtyping of recursive types directly; the correspondence between 
the algorithm and the rules is then less obvious. 

The example above involves two distinct recursive types for which the rule (2) alone is not 
sufficient to determine subtyping. This example may seem artificial, however this situation can 
easily happen in practice. As a slightly more plausible example, suppose we define the type of 
lists of alternating integers and naturals: 

IntNatList = (it.Unit+Intx(Unit+Natxt) 

This definition could arise more naturally from a mutual recursion construct in some 
programming language, for example: 

Let Rec IntNatList = Unit+IntxNatlntList 
and NatlntList = Unit+NatxIntNatList 

One would certainly expect NatList < IntNatList to hold. But, 

NatList = (is.Unit+Natxs 

hence we have first to show that NatList = (is.Unit+Natx(Unit+Natxs), and only then can we 
apply rule (2) successfully. 

1.5 Algorithm outline 

We describe the algorithm informally and we show some sample runs. This is only an 
approximation of the algorithm analyzed in the formal part, but it should explain the main ideas. 
A more detailed description is given in section 4.4. 

A recursive type of the form (it. ...t... can be represented in memory as a cyclic linked 
structure such that every occurrence of t in the recursive body is represented by the address of the 
corresponding (it structure, i.e., by a back-pointer. Otherwise, all subexpressions of a type 
expression, including (I subexpressions, are uniquely determined by their address in memory. 
Every time the algorithm reaches a \l structure, possibly through a back-pointer, it has the option 
of analyzing the interior of the structure ("unfolding" the recursive type) or to compare its 

Page 9 



address with other addresses as a termination condition. The algorithm for a<(3 operates on a pair 
of linked structures and a trail. A trail is a set of address pairs that records the pairs of addresses 
that have been jointly encountered when following a pair of paths in the two linked structures. To 
avoid diverging on cyclic structures, the algorithms registers a local successful termination when 
it reaches a pair of addresses that have already been seen, that is, a pair of addresses that are 
contained in the trail. 

The algorithm to determine whether a<(3 starts with an empty trail and proceeds through the 
following steps in sequence. We only consider basic types, function types, and recursive types. 

[1] Succeed if the pair of addresses of a and (3 (in this order) is contained in the trail. 

(In this situation, we have completely explored a pair of cyclic paths and found no 

subtyping failures; hence we declare success for these paths.) 
[2] Succeed if a and (3 are type constants that are equal or in the subtype relation. 

(This is the base case for the given collection of basic types and basic inclusions.) 
[3] When a is a'^a" and p is p'->p", recur on p'<oc' and on oc"<p". Succeed if both 

recursions succeed. 

(This is the case for function types; note the swapping of inclusion on the domains 
because of antimonotonicity of — >; no such swapping would occur for data type 
constructors such as x and +). 
[4.1] When a is ut.a' and P is (is.P', add the pair of addresses of a and P (in this order) to 
the trail, and recur on oc'<P'. Succeed if the recursion succeeds. 

(The presence of (I's signals potential cyclic paths, hence we store the current pair of 
addresses in the trail so that case [1] can prevent looping. We use an ordered pair of 
addresses because inclusion is, obviously, not symmetric; this detail differs from the 
standard trail algorithms for type equivalence. The next two cases are similar.) 

[4.2] When a is ut.a', add the pair of addresses of a and P to the trail, and recur on a'<p. 
Succeed if the recursion succeeds. 

[4.3] When P is (is.P', add the pair of addresses of a and P to the trail, and recur on a<P'. 
Succeed if the recursion succeeds. 

[5] Otherwise, fail. (This means we have found a pair of incomparable type expressions, 
such as a function type and a base type.) 

A faithful description of a run of this algorithm would involve assigning arbitrary addresses 
to subexpressions of type expressions; this would only obscure the exposition. Instead, we 
display the type expressions and we leave their addresses implicit: the reader is urged to keep this 
in mind. 

The diagrams below represent execution trees. The starting goal is at the bottom, the 
branching represents recursive calls, and the leaves represent termination conditions. The trail is 
shown in curly brackets; its elements are written as t<s, and represent pairs of addresses of type 
expressions. We indicate in square bracket the step of the algorithm used in each line to obtain 
the line above it. 

The first sample run involves two types with matching |i structures; their inclusion is non- 
trivial because of antimonotonicity. 
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{t<s} t < s [1] {t<s} -L< t [2] 

{t<s} s-»± < t-»t [3] {t<s}±<T[2] 
{t<s} (t-*)->± <(s^±)^T [3] 
{} Ht.((t->t)->±)<ns.((s->±)->T) [4.1] 

The second sample run involves two types with mismatching (I structures. This mismatch 
introduces the need to examine a cyclic path more that once. For this, we use a loopback step, 
which corresponds to following a cyclic structure back to its original entry point (an artificial 
loopback step is needed only because, as we said, we keep the address information implicit). In 
the algorithm above, a loopback situation corresponds to a failure of step [1] followed by some 
dereferencing of back-pointers that leads to step [4]. 

{t<s, t<±^s} ± < T [2] {t<s, t<±^s} t < s [1] 
{t<s, t<±^s} T-rt < ±^s [3] 
{t<s} |it.(T->t) <±->s [4.2] 
{t<s} ± < T [2] {t<s} t < ±^s [loopback] 

{t<s} T^t<±^(±^s) [3] 
{} Mt-(T->t) < ns.(±->(±->s)) [4.1] 

Hence, in this run we go around the (it loop twice in order to go around the (is loop once. 

For other interesting examples, check how |lt.(t— >t) < (is.(s— >s) succeeds, and how |it.(t— >±) 
< us.(s^t) fails. 

One of the main aims of this paper is to show that the algorithm above is consistent with, and 
in fact equivalent to, the rules (2) and (3) of sections 1.2 and 1.3. For this we need to place both 
the rules and the algorithm in a more formal framework. 



1.6 Formal development 

Having explained most of the problems and the unsatisfactory solutions arising from 
subtyping recursive types, we can now proceed to the formal treatment. 

So far we have discussed rules for the subtyping of recursive types which are motivated by 
some operational intuition. In the following we will broaden our perspective and consider various 
notions of type equivalence, OC=p\ and subtyping, oc<p\ These are induced by: 

a) An ordering on infinite trees: C(=p(3, a<j(3 (Section 3) 

b) An algorithm: C*=aP' a -A$ (Section 4) 

c) A collection of typing rules: <*=Rp\ O^rP (Section 5) 

d) A collection of per models: (*=]y[P, °^mP (Section 6) 

The mathematical content of the paper consists mainly in analyzing the relationships between 
these notions. For a simply typed lambda calculus with recursive types (described in Section 2) 
we show, among other properties: 

a^pP <=> a= A |3 <=> a=R(3 => a= M (3 
a< T (3 <=> a< A |3 <=> a< R (3 => a< M |3 

Moreover, we prove a restricted form of completeness with respect to the model (6.3), we 
show the definability in the calculus of certain maps that interpret coercions (7.1), and we give an 
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algorithm for computing the minimal type of a term with respect to <j (7.2). All these results 
support the relevance of the theory for the subtyping of recursive types sketched in this 
introduction. 

2. A Simply Typed Arcalculus with Recursive Types 

We consider a simply typed X-calculus with recursive types and two ground types ± (bottom) 
and t (top); the latter play the roles of least and greatest elements in the subtype relation. 
Although this calculus is very simple, it already embodies the most interesting problems for 
which we can provide solutions sufficiently general to extend to other domains. In the 
conclusions we comment on which techniques can be applied to more complex calculi. 2 

2.1 Types 

In an informal BNF notation, types are defined as follows: 

t,s, ... type variables and type constants, indifferently 
a ::= 1 1 ± I t I a^(3 I (it.a 

Types are identified up to renaming of bound variables. We use parentheses to determine 
precedence; in their absence, — > associates to the right, and the scoping of (I extends to the right 
as far as possible. For simplicity we omit the other type constructors considered in the 
introduction. 

2.2 Terms 

Terms are denoted with M, N, ... ; the following rules establish when a term M has type a 
(written M:a). 

(assmp) x a : a 

(^1) M : p => (Xx a .M) : a^p 

(-»E) M : a^p, N : a => (MN) : p 

(fold) M : [|it.a/t]a => (fold ut _ a M) : (it.a 

(unfold) M : (it.a => (unfold^ a M) : [|it.a/t]a 

Hence terms are either typed variables, typed X- abstractions, applications, or fold and unfold 
coercions. The latter should be subscripted with the intended recursive type, to facilitate type 
inference, but these subscripts are sometime omitted. The fold/unfold coercions are technical 
devices to explicitly contract or expand the recursive type of a term; that is, such contractions and 
expansions do not happen automatically. 

2.3 Equations 

Here are some fundamental equations for the calculus. In particular, notice that the constants 
"fold" and "unfold" establish an isomorphism between a recursive type and its unfolding. 



Conventions: 
formal system; 
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= stands for equality by definition; =for abbreviation or syntactic identification; h precedes a judgment provable in a certain 
3 is the linguistic implication; => is the metalinguistic implication; [U/x] V denotes the substitution of U for x in V. 



((3) (Xx«.M)N = [N/x a ]M 

fold(unfold x) = x unfold(fold x) = x 

In section 6 we will consider a model in which many more types and terms are equated, for 
example the following will be valid equations: 

(fold-unfold) [|it.a/t]a = (it.a 

01) Xx<*. Mx<* = M if x«£FV(M) 

(-L) x^ = y^ 

(T) X T=yT 



3. Tree Ordering 

There is a well-established theory of subtyping for the non-recursive types. Basic motivations 
can be found, for example, in [1 1]. The notion of non-recursive type is merely syntactic; it means 
that the type does not contain (i's. The purpose of this section is to extend this theory to the 
recursive types, by defining a notion of approximation on infinite trees. 

3.1 Subtyping Non- recursive Types 

We have the following simple rules. There is a least type ± and a greatest type t; the operator 
— > is antimonotonic in the first argument and monotonic in the second. The relation < is reflexive 
by virtue of (var) and (— >) below. 

(±) ± < a 

(t) a < t 

(var) t < t 

(->) a' < a, (3 < (3' => a^p < a'^(3' 

It is fairly easy to prove that the relation <C, defined as a^(3 iff a<(3 is derivable in the system 
above, is a partial order on the collection of non-recursive types. In particular, one has to show 
that the transitivity rule: 

(trans) a < (3, (3 ^ y => a ^ y 

is derived. This can be proven by defining a collection of rewriting rules on proofs that have the 
property that, when applied to a proof using transitivity, produce a (trans)-free proof of the same 
judgment. More abstractly one can look at the rules as the clauses of an inductive definition of a 
binary relation ^ and show that such a relation is transitive (see 3.4.4). 

3.2 Folding and Unfolding 

Should the types [|it.a/t]a and (it. a be considered as equivalent? In general they are provably 
isomorphic in the calculus via fold and unfold. However, in most languages fold and unfold are 
implicit, and most implementations do not generate run-time code for them. So it seems 
reasonable to require that [|it.a/t]a < (it.a and (it.a < [|it.a/t]a, thereby making unfolding 
transparent. 
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In fact, we will exhibit a model of the calculus in which (it.a and [ui.oc/t]a are equated 
because recursive domain equations are solved up to equality. However, a theory of type 
equivalence based only on the congruence closure of: 

(fold-unfold) [|it.a/t]a < ut.a |it.a< [ut.a/t]a 

turns out to be too weak; for example, the types (its— >s— >t and (its— >t are not equivalent. 

Once we assume the transparency of unfolding, it seems natural to consider types with the 
same infinite expansions as equivalent. Infinite expansion can be rephrased as an approximation 
property such that the semantics of a type is completely determined by the semantics of its finite 
syntactic approximations. In fact, this is a very desirable property in the semantics of 
programming languages (see, for example, the approximation theorem in [29]). 

3.3 Tree Expansions 

As we have seen, simple unfolding does not induce a sufficiently strong notion of type 
equivalence. A stronger condition of approximation seems required to deal with infinite 
expansions. Let us first explain how to associate a finitely branching, labeled, regular tree with 
any recursive type. 

Paths in a tree are represented by finite sequences of natural numbers 7t,ae CO*, with no for 
concatenation and nil as the empty sequence. 

Nodes in a tree are labeled by a ranked alphabet L = {±°, T°, — > 2 } u {t° I t is a type 
variable}, where the superscripts indicate arity. 

A tree Ae co*-^L is a partial function from (paths) CO* into (node labels) L, whose domain is 
non-empty and prefix-closed, and such that each node has a number of children equal to the rank 
of the associated label. 

Formally, let A(7i)l indicate that 71 is in the domain of A (and A(tc)T indicate the opposite). 
Then the collection Tree(L) of finitely-branching labeled trees over L, is given by the partial 
maps: 

A: co*^ L such that: 
A(nil)l 

A(tco)1 => A(7t)l 

A(7C) = pi => V0<j<i. A(jcj) 1 

We can now define a function T: Type — > Tree(L) from recursive types (as defined in 2.1) to 
Tree(L). Let h(i be the function that counts the number of (i's in the head position of a type. We 
define T(cc)(7i) by induction on (\n\, h(i(a)): 

T(±)(nil)4_L T(T)(nil)4 T T(t)(nil) = t 

T(a-»P)(nil) = -> T(a^(3)(07i) = T(a)(7t) T(a-»P)(ln) = T((3)(7i) 
T((it.a)(nil) = ± if a has the shape |xt 1 ....|it n .t (t^t, iel..n, n>0) 

T(|it.a)(7t) = T([(it.a/t]a)(7i) if a does not have the shape above 
T(a)(3c)= t in all other cases 

Note that the a— >|3 case reduces Iftl, and second (it.a case preserves ItcI while reducing h|i(a); this 
entails that the definition is well-founded. 
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Here are some simple examples; the tree on the right repeats itself after the : 

T(s->iit.t) = -> TQit.±-KT->t)) = -> 

/ \ / \ 

s ± ± —> 

I \ 

T 

Finally, define the collection of finite trees, Tree fin (L), as follows: 
Tree fin (L) 4 {A e Tree(L) I 3k. Vtig to*. |jd>k => A(tc)T } 

Remarks 

3.3.1 T induces a bijection between Tree fin (L) and non-recursive types. We denote its 
inverse with T" 1 . 

3.3.2 Tree(L) is a complete metric space with respect to the usual metric on trees [4]. In 
fact it is the completion of the space of finite trees Treefj n (L). We recall: 

- A metric space is complete iff every Cauchy sequence converges. 

- A map f:M— >M over a metric space M with distance d is contractive iff there is a real 
number q<l such that Va,beM: d(f(a),f(b)) < q-d(a,b). 

- Banach's fixpoint theorem asserts that a contractive map over a complete metric space 
has a unique fixpoint. 

- The distance d(A,B) on Tree(L) is defined as either 0 if A=B; or else 2~ C ( A ' B ), where 
c(A,B) is either °° if A=B, or else it is the length of a shortest path that distinguishes A 
from B. 

3.3.3 For every a, Ta is a regular tree, that is, a tree with a finite number of different 
subtrees. Every tree is completely specified by the language of its occurrences, where if peL 
and Ae Tree(L) then the occurrences are Occ(p,A) = {tcg CO* I A(tc) = p}. In particular, every 
regular tree A has an associated set {Tip I Tie Occ(p,A), peL} which is a regular language [16]. 

From this it follows that given types a, (3, the problem of deciding if Ta = T(3 is reducible 
to the problem of the equivalence of deterministic finite- state automata. 

3.3.4 Going back to the example in 3.2, observe that T(|it.s— >s— >t) = T((it.s— >t). 

3.4 Finite Approximations 

Finite trees are in one-one correspondence with the non-recursive types, therefore they have a 
partial order as defined in 3.1. The problem we are going to consider now is how to extend this 
partial order on finite trees to Tree(L). 

Hence, we introduce the notion of finite approximation of a tree. It is crucial to keep in mind 
the antimonotonic behavior of the — > in its first argument. 

We define a family of functions: 

{ I k : Tree(L)^Tree fin (L) } ke & 
Given AeTree(L) its cut at the k-th level is defined as follows: 
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A| k (7U) 4 



T if ItcI > k 

A(tc) if ItcI < k, or I rcl = k and A(tc) 1 

± if I -TXl = k, A(tc) 1 , and TC is positive in A 

t if ItcI = k, A(tc) 1 , and tc is negative in A 



where we say that tc is positive (negative) in A if along the path tc from the root we select the left 
sibling of a node labeled — > an even (odd) number of times. 
We can extend this definition to types: 

a l k - T _1 ((Ta)| k ) (a non-recursive type) 



Convention 

The bijection T,T _1 between Treefj n (L) and non-recursive types is from now on often omitted. 
That is, given any finite tree AeTree fin (L), we ambiguously identify it with the corresponding 
non-recursive type. Similarly, for AeTree(L), we denote with A| k both its cut and the 
corresponding non-recursive type. 



We are now ready to introduce a notion of tree ordering. 



3.4.1 Definition (tree ordering) 

For A,B e Treef in (L): A <f in B o T^A^T^B (as finite types; see 3.1) 
For A,B e Tree(L): A^B o Vk. (A| k < fin B| k ) 
For a,(3 e Type: a< T (3 o Ta Tp 



Remarks 

3.4.2 is a partial order on Tree(L). 

3.4.3 a<xP is a preorder on recursive types, and is such that for all k 0C| k <T«- We can 
now show, for example, a = ut.T— >t <p ut.±— >(±— >t) = (3; consider the tree expansions: 

Ta = T(3 = 

I \ I \ 

I \ I \ 

T ± 

Observe that T and ± always occur in negative position so from ±<T we can conclude Vk. 
a | k <(3| k and this gives us the statement. 

3.4.4 One can think of other tree orderings; for example, consider the following 
inductive definition that gives an ordering < Ind on Tree(L). 

<j n( j is the least reflexive relation such that, VA,B,A',B' e Tree(F): 

±< Ind A; A< Ind T; A'< Ind A, B< Ind B' ^ A < Ind A 

A B A B' 

Equivalently, < Ind = U n <co^ n where: 
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<0 = {(±,A),(A,T)IAeTree(L)}uId Tree(L) 



<n+l = <n u {( / \ t I \ ) | A'< n A,B<nB'} 
A B A' B' 

It is not difficult to prove by induction on n that < Ind is a partial order on Tree(L), it 
conservatively extends the ordering on Tree fin (L) and it is contained in . Moreover, such 
containment is strict as shown by the example in 3.4.3. In fact, < Ind lacks the crucial 
approximation property possessed by . 



4. An Algorithm 

In this section we show that the tree ordering we have defined on types (3.4.1) can be decided 
by a rather natural modification of the algorithm that tests directly (that is, without reduction to a 
minimal form) the tree equivalence of two types. 

4.1 Canonical Forms 

The first step towards formalizing the algorithm is to introduce canonical forms for types and 
systems of equations. 

Canonical forms of types allow us to ignore the trivial type equivalences due to redundant 
uses of (I binders. For example, the recursive type (|lt.|is.t— >s)— > ((|lt.t)— >(ut.T)) can be 
simplified to the canonical form (|iv.v— >v)— >(±— >t) without changing the denoted tree. In a 
canonical form, the body of each (J, is an — > type, and each (I variable is used in its (I body. Note, 
however, that different canonical forms may generate the same tree, for example (it.s— >t, 
s— >|lt.s— >t, and (its— >s— >t. 

Implementations of the subtyping algorithm manipulate cyclic linked data structures in 
computer memory. We represent these data structures abstractly as special sets of equations. 
Informally, each equation relates a memory address, represented by a variable, to a node of the 
data structure, represented by a type constant or a type constructor applied to variables. For 
example, here is a simple type with a corresponding equational representation and a possible 
memory representation: 



Type 


Equations 


A memory representation 




(v 0 is the root) 


Addr. 


Node 


Child 1 


Child2 


(lt.±^t 


v 0 = Vl ^v 0 


0: 


— > 


1 


0 




v 1= ± 


1: 


± 







Sets of equations in this stylized form are called canonical. In this section we show that a 
canonical set of equations, along with a root variable, determines a unique tree which is called 
the solution of the equations. Moreover, we give effective ways of going from a type to a 
canonical set of equations, and vice versa, while preserving the represented tree. 
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Proviso 

In order to have a simple correspondence between recursive types and systems of regular 
equations, we assume that all variables, both bound and free, in the types aj, a n under 
consideration are distinct. When a type is unfolded, the necessary renaming of bound variables 
must be performed. For example, (|it.t— >s)— >(us.t— >s) should be rewritten as 
(|iv.v->s)^(|ir.t^r). 

4.1.1 Recursive Types in Canonical Form 

Henceforth, Tp denotes the collection of non-recursive types, and (iTp denotes the collection 
of recursive types in canonical form, defined as follows: 

a ::= ± I t 1 1 1 a^(3 I ut.a^(3 

where in the case (it.oc— >p\ t must occur free in a— >(3. Hence the body of a (I in canonical form 
must immediately start with an — >; in particular, it cannot be another (X. The introduction of uTp 
simplifies the case analysis in the following proofs. 

4.1.2 Proposition (existence of canonical forms) 

For every type a there is a type (3 in canonical form such that Toc=Tp\ 
Proof 

The crucial observation is that T(it.(is.y[t,s] = T(iv.y[v,v]. See also 5.1.3 for a proof of this 
fact that uses the rules for type equivalence. □ 

4.1.3 Regular System of Equations in Canonical Form 

Systems of regular equations are a well-known tool for representing regular trees (see for 
example [16], [17]). 

For our purposes a regular system of equations in canonical form is an element of Tenv, that 
is, a finite association of distinct type variables (members of Tvar) with types in a specific form: 

Tenv = 

{ e e Tvar Tp I Dom(e) is finite and VteDom(e) we have that 
e(t) is one of ±, t, tj, t2 — >t3, where tj^Dom(e) and t2, t3eDom(e) } 

A pair (a , 8) e Tp x Tenv represents the following system of regular equations (not 
necessarily in canonical form because a may be complex): 

t a = a (t a a fresh variable) 
t = e(t) for each teDom(e) 

It is important to observe that, by the definition of Tenv, this system defines a contractive 
functional (Gq,..., G n ) over Tree(L) n+1 (see remark 3.3.2) where n = IDom(e)l, Dom(e) = {tj, 
tjj} and: 

G 0 (A 0 , A n ) 4 [A 0 /t a , Aj/tj, A n /t n ]Ta 

Gj(A 0 , A n ) 4 [A(/t a , Aj/tx, A n /s n ]Te(ti) (l<i<n) 

The predicate Reach(a,8) denotes the variables reachable from the free variables in a by 
applying the equations in £. Formally: 
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Reach(t,8)° = {t} 

Reach(t,e) n+1 = if t£Dom(e) then {t} 
if teDom(e) then 

if 8(t)=± or e(t)=T then 0 
if e(t)=s then {s} 

if e(t)=t l ^t 2 then Reach(t 1 ,e) n uReach(t 2 ,8) n 
Reach(t,E) = |Jneco Reach (t,£) n 
Reach(a,8) = UteFV(a) Reacn ( t ' £ ) 



4.1.4 Definition (solution of a system) 

We denote with Sol(a, £) the first component B 0 of the solution (B 0 ,..., B n ) in Tree(L) n+1 of 
the system associated with (a, 8). The solution is given by Banach's unique fixpoint theorem (see 
remark 3.3.2). 

Remark 

Given a system of regular equations in canonical form, it is possible to minimize the 
number of variables by a procedure that is analogous to the one for minimizing the number of 
states in a deterministic finite-state automaton. This immediately provides an algorithm for 
deciding the equality of the trees represented by two regular systems of equations in 
canonical form. 



In the rest of this section we describe maps between types and regular systems of equations in 
canonical form, as summarized by the following diagram, where all the paths leading from a 
node to Tree(L) commute. 



Type 



( , ) 



(*,E) 



Tvar x Tenv 



Sol 



Tree(L) 



4.1.5 Proposition (From recursive types to regular systems) 

There is a pair of maps *eType— >Tvar, Eg Type— >Tenv such that: 
Voce Type. Toe = Sol(cc*, Ecc) 

Proof 

It is enough to prove the result for every term in uTp. Then the lemma follows by 4.1.2. We 
now define (*, E) by induction on the structure of ye uTp. 

Cases y^t, y^-L, an d Y^t . Take y*=s and Ey={s^y}, for any s not appearing in the original type 
a. 
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Case y=a->p\ 

We denote with p[t 1 ...t k ] for peL\{ti...tjJ a type in Tp of the form p(uj ..u#p), where #p is the 
arity of p, and {u^.u^} cz {^...t^}. 

Assume, by induction hypothesis, that Ea={t i+1 =p i [t2...t n+ j] I iel..n}, oc*=t 2 , 
E(3={t n+1+j =qj[t n+2 ...t n+m+1 ] IjeL.m}, and |3*=t n+2 . (We require here that t lf t 2 ...t n+1 , and 
tn+2— Wm+l are disjoint variables not appearing in the original a; otherwise a consistent 
renaming must be performed.) Then Ey is the following system and y*-h : 

h = r l[tl--tn + m+l] ~ l 2^W2' 
h = ^[tl-Wm+l] - Plt^-Wl] 
W =r n+l[ t l-- t n+m+l] = Pnfo-Wl] 
tn+2 = r n+2[ t l-- t n+m+l] = qi[ t n+2-- t n+m+l] 
Wm+l = r n+m+l^l-"Wm+l] = c lm['-n+2"-'ii+m+l] 

The property Sol(y*, EY)=Sol(t l9 Ey)=Sol(t 2 ^t n+2 , Ey)=Sol(t 2 , Ea)^Sol(t n+2 , E(3)=Ty follows 
easily from the induction hypothesis. 

Case y=|it.oc^>p\ 

Let y'=[y/t](X— >[y/t]|3 (of course Ty'=Ty). As in the previous case, assume 
Ea={t i+1 =p i [t 2 ...t n+1 ] I ieL.n}, a*=t 2 , Ep={t n+1+j = qj [t n+2 ...t n+m+1 ] IjeL.m} and (3*=t n+2 . Then 
Eyis the following system and y*=tf 

h = ri[ti"-t n + m +l] = t 2 ->t n+2 

h - ^[tl-Wm+l] - t 2^ t n+2 l Pl[ t 2-- t n+l] 

Wl = r n+l[ t l-- t n+m+l] = t 2^ t n+2 l Pn[ t 2-- t n+l] 

tn+2 = r n+2[ t l-- t n+m+l] = t 2^ t n+2 | qi[ t n+2-- t n+m+l] 

Wm+l = r n+m+l[ t l-- t n+m+l] = t 2^ t n+2l c lm[ t n+2-" t n+m+l] 
By t 2 — >t n+2 lpj[t 2 ...t n+1 ] we denote t 2 — >t n+2 if Pi=t, and Pift^.-.tn+i] otherwise. Analogously, 

t 2^ t n+2' £ lj [tn+2- -Wm+l] denotes t 2 — >t n+2 if qpt, and qj[t n+2 ...t n+m+ i] otherwise. Next proceed 
by induction on (Ircl, y) to prove Ty(7i)=Sol(y*, Ey)(7c). The only difficulty arises for y^uia— >p\ 
In order to apply the induction hypothesis one needs a lemma. Following the notation above we 
show, for instance, Sol(t 2 , Ey) = Sol([y/t]oc*, E[y/t]a). See 4.1.7 for a proof of a related fact that 
gives the main insights while being slightly simpler. □ 

Here is an example of the procedure described in the proof above. Consider: 
y= |it.t^L. 

For the base cases t and ± we have (cunningly choosing the names t 2 and t^): 

t* = t 2 ; Et={t 2 =t} 

±*=tg; E± = {t 3 =±} 

From the (I case of the proof we obtain: 

y* = tl ; Ey= {tj = t,-^, ^ = t,-^, t 3 = ±] 
Note the first two equations of the system Ey; the redundancy facilitates the uniform treatment of 
the (I case. 

4.1.6 Definition (From regular systems to recursive types) 

We define a function <-,->: TpxTenv — > Type by induction on (IDom(e)l, a): 
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U,£> 4 ± 

<T,e) 4 T 
<cc-»p,e> 4 (a,e)->(p\e> 
<t,E> = t ift^Dom(E) 

(t,e) 4 |xt.(e(t),e\t) ifteDom(e) 
where e\t is like 8 except that it is undefined on t. 

Continuing the example above, we have: 

(7*,Ey) = <t 1 ,{t 1 = t 2 ->t 3 , t, = t,-^, tj = ±}> 
= (Xt 1 .<t 2 ^t 3 ,{t 2 = t2^t 3 , t 3 = ±}> 

= lltj.d^^ = t^tg, tg = ±}) -> (t3,{t2 = t 2 ^t 3 , tg = ±}> 

= jlt 1 .(M>t2-<t 2 ^t3,{t3 = ±}» -> 0%U,{t2 = t 2 ^t 3 }» 
= jj,t 1 .(M.t2.<t 2 ,{t 3 = ±}> -> (t 3 ,{t 3 = ±}» -> Oltg.±) 
= p^.Olt^-KM^.U.f }») -> (^t 3 .±) 

= ^.(^.^(M-tg.i)) -> ((Xt 3 ._L) 

The last line is equivalent to the original type y = |it.t— >±, as established in general by the 
following proposition. 

4.1.7 Proposition (More on commuting translations) 

(1) For any system of equations, the first component of the solution coincides with the tree 
expansion of the associated recursive type: 

V(a, 8) e Tp x Tenv. Sol(a, 8) = T(a,e> (we abbreviate T((a,e)) as T(a,e» 

(2) The map < , > satisfies the conditions: 

1. U,e> = ± 

2. <T,£> = T 

3. <t,e> = t if t£Dom(e) 

4. T(t,e> = T(e(t),e) ifteDom(e) 

5. T(cc-»p,e> = T«a,e> -> <p\e» 

6. T(a*,Ea> = Ta 

Proof 

(1) Show by induction on (\%\, a) that T(a,£)(;c) = Sol(a, e)(tt). 
The interesting case arises when oc=t, teDom(e), £(t) = tj— >t 2 . 
Then, Sol(t, e) = Sol(e(t), e) = SoK^-%8); 
and, T(t,e) = T(it.(e(t), e\t) = T[(t,e)/t](t 1 ^t 2 , e\t>. 
In order to apply the induction hypothesis and complete this case 
one needs to prove T% e> = T([{t,e)/t]<t i , e\t» (i=l,2). 
To obtain the latter, we show the following lemma: 

For any canonical system e, and type variables, t, t', 

we have T(t\ e> = T([(t,E)/t](t', e\t» . 
We proceed by induction on the depth of the path 71, and by case analysis, to show: 

T(t', 8>(7C) = T([(t,8)/t](t', 8\t))(7C) . 

Case tm': [<t,e>/t](t', e\t> = [(t,e)/t] t' = (t,e) = (t',e>. 
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Case t^t': 

Subcase teDom(e), t'eDom(e): 

Say: e(t) = t^t 2 , 8(f) = t\-^t 2 . 
Then: a = (t',e> = |it'. {t' h e\t')^{t' 2 ,e\t'). 
and Ta = — > 

/ \ 

T([(t',8)/t'] (t'j ,8\t') T([(t',8)/t'] (t' 2 ,8\t'> 

Also: (3 s [<t,e)/t](t', e\t) = [(t,e)/t](it'. (t'^eWJ-^eW) = 

= [(t,e)/t] ([(t'^XO/tKd^eXtXtO^d^.eW) ) ). 
So: Tp = 

/ \ 

T[(t,e)/t] ([<t\&t}/t , ]«t , 1 ,e\t\t , > )) T[(t,e)/t] ([(t',8\t)/t']((t' 2 ,e\t\t') )) 

If nil is the current path, we can apply the inductive hypothesis on the shorter path 71 w.r.t.: 

(1) the variables f , t'j, (i= 1 ,2) and the system 8 to show: 

T(t'i,8)(7C) = T([(t',8)/t'](t' i ,8\t')(7C) . 

(ii) the variables f , t\, (i=l,2) and the system e\t to show: 

T(t'i,8\t)(7C) = T[(f ,8\t)/f ]((f i; 8\t\f > )(7C) . 

(iii) the variables t, t\, (i=l,2) and the system 8 to show: 

T[(t,8)/t](t'i,8\t)(7C) = T(t'i,8)(7C). 

Finally we use the substitutivity of the T operation, T[y/t]S = [Ty/t]T8, to conclude Ta=Tp\ 
Subcase teDom(e), t'^Dom(e): 

Say: e(t) = t^t 2 . 

Then: T(t', e> = t' 

T([(t,e)/t](f , e\t» = T([(t,e)/t] t' = t'. 
Subcase t^Dom(e), t'eDom(e): 

Say: e(t') = t\^t' 2 . 

Then: T([(t,e)/t](t', e\t» = T([t/t]<t', e\t» = T(t', e\t) = T(t', e). 
Subcase t£Dom(e), t'^Dom(e): 

Then: T([(t,e)/t](t', e\t» = T [t/t] t' = Tf = T(t', e> 

(2) Conditions 1, 2, 3, 5 follow by definition. 
Condition 4 follows from Sol(t,e) = Sol(e(t),e) and part (1). 

Condition 6 follows from prop. 4.1.5 and part (1): Ta = Sol(a*, Ea) = T<a*, Ea>. □ 

4.2 Computational Rules 

The subtyping algorithm described in this section is based on the canonical sets of equations 
described in the previous section (again, these equations can be interpreted as linked data 
structures in memory). The algorithm involves a single set of equations e, with two distinct roots 
a and (3 representing the types to be compared. It also involves a trail £ of the form {tj<Sj,..., 
t n <s n }, which records inclusions of variables discovered as the algorithm progresses. An 
invocation of the algorithm with parameters E, e, a and (3, is written as the judgment £,£ =5 a<(3. 

The algorithm is not expressed as an ordinary procedure, but as a collection of rules that 
resembles a Prolog program. The typical rule is written as a logical implication of judgments: 
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E^ejzxx^P!, E 2 ,e 2 3cx 2 <|3 2 => E,£3cc<|3 

Operationally, this means that in order to determine whether E,£3CX<|3 holds, we must invoke the 
"subroutines" Li,8iZ>ai<(3i and E 2 ,£ 2 30C 2 <|3 2 an d check whether they hold. In general, given a 
logical deduction in this system of rules, the algorithm execution can be recovered by reading the 
rules backwards from the conclusion to the assumptions. 

In the following, t,s,r,u denote arbitrary variables; a,b denote variables not in the domain of e; 
E is a finite set of subtyping assumptions on pairs of type variables; and a,|3e Tp. 
The algorithm can then be written as follows: 



(assmp A ) E,£ Dt<s if t<seE 

(-L A ) E,£3±<|3 

(t a ) E,£ 3 a<T 

(var A ) E,£ 3 a<a 

(|i A ) Eu{t<s},£ 3 8(t) < 8(s) ^> Z,8 3 t < s if t,seDom(e) 



The initial judgment E,£30C<|3 that starts an execution of the algorithm must obey a special 
condition expressing some reasonable assumptions. This condition says that the initial type 
structures a, (3 are simple root variables denoting disjoint structures, and that E has not yet come 
into play. For E={t 1 <s 1 ,..., t^SjJ, define: 

Vars(E) = {t^S!,...,^} 
Ette o Vars(E)nDom(8)= 0 

Then, a judgment E,83a<(3 satisfies the initiality condition (or equivalently, is an initial goal) iff 
oc=t, (3=s, 8 can be decomposed in 8jU8 2 so that teDom(e 1 ) and seDom(e 2 ), Dom(8 1 )nDom(e 2 ) 
= 0, and Ette. 

By the way canonical systems are constructed, and by the fact of starting with an initial goal, 
the expansions of variables according to E, as in (|l A ), is always synchronized. That is, in a call to 
E,Ez>a<(3 during the execution of the algorithm we never have a situation where a is a variable in 
Dom(£) and (3 is not, or vice versa; hence (li a ) covers all the cases that may arise. If one desires 
to treat more general systems of equations, then it may be necessary to introduce other u-rules 
that take into account situations in which just an e-expansion on the left (or the right) is needed. 
In these cases we would have rules like: 

(assmp' A ) E,e id a<(3 if a<|3e E 

(|i 1A ) Eu{t<a'^(3'},8 3 e(t)<a'^(3' => E,E3t<a'^(3' ifteDom(E) 

(Mta) Eu{a'— >|3'<s},£ id a'— >|3'<£(s) => E,e =5 a'^(3'<s if seDom(e). 

Note also that there are two conceptually distinct uses of the rule (assmp A ) in the algorithm: 
one for the initial assumptions contained in E, which represent known inclusions on type 
constants, and one for the assumptions inserted during the computation, which come from the 
unfolding of Li's. 
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4.2.1 Generating the Execution Tree 

Given a goal E,£ 3 t<s, the algorithm consists in applying the inference rules backwards, 
generating subgoals in the cases (— > A ) an d (M-a)- This process is completely determined once we 
establish that (assmp A ) has priority over the other rules and (± A ) has priority over (t a ). 

A tree of goals built this way is called an execution tree. If no rules are applicable to a certain 
subgoal, that branch of the execution tree is abandoned, and execution is resumed at the next 
subgoal, until all subgoals are exhausted. 

4.2.2 Termination 

The execution tree is always /zmYe. Observe that if t < s is the assumption that we add to E, 
then t and s are type variables in Dom(e). Also observe that the (— >) rule shrinks the size of the 
current goal by replacing it with subexpressions of the goal, and that each application of a |i-rule 
enlarges £. 

The bound on the depth of the execution tree for 0C< A |3 is of the order of the product of the 
sizes of the two systems Ea, Ep\ 

4.2.3 Algorithm Ordering 

An execution tree succeeds if all the leaves correspond to an application of one of the rules 
(assmp A ), (J- A ), (t a ), and (var A ). Dually, it fails if at least one leaf is an unfulfilled goal (no rule 
can be applied). 

We write h A Z,8=5 t<s iff E,£z> t<s is an initial goal (4.2) and the corresponding execution tree 
succeeds. 

Given recursive types a,(3 we write: 

a< A (3 o h A 0,EauE(3 3 a*<(3* 

For testing type equality, we can define: 

a= A (3 <=> a< A (3 a (3< A a 

Alternatively, we could directly define a (more efficient) type equality algorithm, along the same 
lines as the subtyping algorithm. 

4.3 Soundness and Completeness of the Algorithm 

We now show that the subtyping algorithm described in the previous section is sound and 
complete with respect to the infinite-tree interpretation of types. That is, the algorithm precisely 
embodies our intuition of recursive types as infinite trees. 

First we prove soundness and completeness for non-recursive types. Soundness is then 
derived by observing that a successful execution of the algorithm on some input must also be 
successful on all the finite approximations of the input. Completeness is proven by examining a 
failing execution tree, and concluding that the trees corresponding to the input must have been 
different to start with. 

4.3.1 Lemma (Derived structural computational rules) 

Given the definition of Tenv in 4.1.3, the algorithm in 4.2, and the ordering in 4.2.3, we have: 
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E-weaken 

If h A E,£Dt<s and ZuZ' tt e then h A ZuE',e d t<s. 
E-strengthen 

If h A ZuZ,E3t<s and Reach(t^s,e)nVars(Z) = 0 then h A Z,£Dt<s. 
e-weaken 

If h A E,e 3 t<s, Reach(t^s,8)nDom(e') = 0, Z tt eue', 
and Dom(e)nDom(e') = 0 then h A Z,eue' 3 t<s. 
e-strengthen 

If h A Z,£UE3 t<s and Reach(t->s,£)nDom(e') = 0 
then h A Z,8 Dt<s. 

4.3.2 Proposition ( Completeness of <a for non-recursive types) 
Given a, (3eTp non-recursive types then a<xP => oc< A p. 

Proof 

Let £ = EauEp. We show a< T P ^> VZ. Ztte ^> h A Z,e 3 a*<p* by induction on the structure 
of a and (3. 

Case a=±. Then 8 = {a*=±}uE(3. Take any Z s.t. Ztte: 

=> Zu{ a*<(3 *),£d e(a*)<e(p*) by (± A ) since e(a*)=± 

=> Z,E 3 a*<(3* by (\i A ) since a*,p*£Vars(Z) 

Cases a=T, a=a. Similar. 

Case a=oc'— >oc". Since a< T (3, we have either: 

Case |3=t, similar to the case a=±. 

Case p=p'->p", with p'^a' and a"< p". 

Then 8 = {a*=a'*^a"*}u{p*=p'*^p"*}u8'u 8" where 

8' = Ea'uEp' and e" = Ea"uEp". 
By induction hypothesis VZZ'tte' => h A Z,e' 3 p'*<a'* 

and VZ". Z"tte" => h A Z",e" 3 a"*<p"*. 
Take any Z such that Ztte then: 

h A Z,e' 3 p'*<oc'* and h A Z,e" 3 a"*<p"*. 
By e-weaken (note Ztte => Ztte'ue"): 

h A Z,e'ue" 3 p'*<a'* and h A Z,e'u e" 3 a"*<p"*. 
By Z-weaken: 

h A Zu{a*<p*},e'uE"3 p'*<a'* and h A Zu{oc*<p*},e'u e" 3 a"*<p"*. 
Hence, by applying (— > A ) and (|l A ) we can conclude h A Z,83a*<P*. □ 

4.3.3 Proposition (Soundness of<A for non-recursive types) 
Given a, PeTp non-recursive types then a< A P => a< T P. 

Proof 

We show h A 0,e 3 a*<P* => a< T P, where 8 = EauEp, by induction on the structure of a 
and p. 
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Case a=±. Then J-< A |3 by (± A ) ((assmp A ) does not apply), and also ±<p(3. 
Cases a=T, a=a. Similar. 

Case a=a'^>a". Assume h A 0,e id a*<(3*; then the first step is either: 
Case (t a ). Similar to the case a=±. 

Case (li a ). Then the second step is (— > A ), mat is also |3=|3'— >|3" 
with {a*<(3*},8 3 |3'*<a'* and {a*<(3*},8 3 a"*<|3"*, 
where 8 = {a*=a'*^a"*}u{p*=p'*^(3"*}ue'u 8" and 
8' = Ea'uEp' and e" 4 Ea"uE(3". 

Since a,(3 contain no (i, Reach(p'*^a'*,8)n(Dom(8")u{a*,(3*})=0. 

By a simple analysis we have: h A {a*<|3*},e'u 8"=3(3'*<a'*. 

By 8-strengthen h A {a*<p*},8'3(3'*<a'*. Similarly, h A {a*<p*},e"=xx''*<|3''*. 

Now, by Z-strengthen h A 0,8' 3 (3'*<a'* and h A 0,e" 3 a"*<(3"*. 

By induction hypothesis (3'< T a' and a"< T (3"; hence a'— xi"^^'— >|3". □ 

4.3.4 Lemma (Uniformity of<A ) 

Let a,(3e Type. If a< A (3 then Vk.a| k< A (3| k . 
Proof (sketch) 

Given any k, from the execution tree of a< A (3 it is possible to extract a successful execution 
tree for 0C| k< A |3| ^. The point is that the use of the (assmp A ) rule can be arbitrarily delayed by 
repeating a certain pattern of computation. 

For example, consider Lit.T— >t < A |xs.±— >s, which gives raise to: 

8 = 8^82, 8j = {t l= t 2 -^t h t 2 =T}, 8 2 = {S,=S 2 ^S | , S 2 =±}. 

The execution tree of the initial goal 0,83t 1 <sj is: 
(-la) 

=> {t 1 <Si,S2^t 2 },83±<T (assmp A ) 

=> {t 1 <S 1 },83S 2 <t 2 => {t 1 <S 1 },EDt 1 <S 1 

=> {t 1 <S 1 },83t 2 ^t 1 <S 2 ^S 1 
=> 0,83t 1 <S 1 

The goal under (assmp A ) can be replaced by a copy of the entire tree, appropriately renamed. At 
the same time, 8 must be appropriately expanded: 

8 = 8!U8 2 , 84 = {ti=t2— > u l« t2= T ' Ul=U 2 ^U), U 2 =T}, 

- { s l =s 2^ v l> s 2 =± > v l= v 2^ v l> v 2 =± )- 

(-la) 

=> {ti<Si,Ui<Vi,V2<U2},£P±<T (assmp A ) 

(± A ) => {t 1 <S 1 ,U 1 <V 1 },£DV 2 <U 2 => {t 1 ^S 1 ,U 1 <V 1 },CDU 1 <V 1 

=> {ti<Si,S2^t2},6P±<T => {t 1 <Sj,U 1 <V 1 },8Z)U 2 ^U 1 <V2^V 1 

=> {t 1 <S 1 },83S 2 <t 2 => {t 1 <S 1 },C3U 1 <V 1 

=> {t 1 <S 1 },83t 2 ^U 1 <S 2 ^V 1 
=> 0,83t 1 <S 1 
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This is now the execution tree of a different initial goal, which might have originated from the 
problem T — >(|it.T — >t) < A ±— >|is.(±— >s), which is equivalent to the original problem. 

In a similar way, this execution tree can be further transformed into one for T— >(t— >±) < A 
_L— >(±— >±) by replacing the (assmp A ) leaf with a (± A ) leaf. By repeating this process we can 
obtain an execution tree for a\ k< A (3| ^ , for an arbitrarily large k. □ 

4.3.5 Proposition (Soundness of <a ) 
Let a,|3e Type; if a< A (3 then 0^(3. 

Proof 

From 4.3.4 we have: a< A (3 => Vk.cx| k < A |3| k . 
From 4.3.3 and the definition of <^ we have: Vk.0C| ^ <fj n (3| ^ and a< T (3. □ 

4.3.6 Lemma (Faithfulness of <a w.r.t. paths) 

Let lead(a,e) = Sol(a,E)(nil) be the first label of a in 8 (that is, skipping initial variables in 
oc,e). 

Let £,£ zd a<|3 be the root of an execution tree, terminating with success or failure leaves, 
obtained from the rules in 4.2. Every node E',8 3 a'<(3' in the execution tree determines a path 71 
from the root to itself, given by considering the occurrences of (— > A ) and ignoring the other rules. 
Then: 

1) Either a' and (3' are both (bound) type variables, or neither is. 

2) Toc(tc) = lead(oc',e) and Tp(7t) = lead((3',e). 
Proof 

By induction on the depth of the execution tree. □ 

4.3.7 Proposition (Completeness of <a ) 
Let a,(3eType; if a< T (3 then a< A p\ 

Proof 

We show -i a< A p => -i Ta^Tp. 

By assumption, we have an execution tree for a< A (3 which contains a failure node E,e 3 
a'<(3', determining a path tc as in Lemma 4.3.6. By 4.3.6.(2), Tcc(7i) = lead(oc',e) and T(3(7i) = 
lead(P',£). Hence we have a common path in Toe and T(3 corresponding to the failure node. The 
following table summarizes the possible cases for a', (3' where the entry indicates either failure or 
the rule being applied by the algorithm; the n.a. (not applicable) cases come from 4.3.6.(1). 



a'\P' 


± 


T 


S 


b 




± 


± 


± 


n.a. 


± 


± 


T 


fail 


T 


n.a. 


fail 


fail 


t 


n.a. 


n.a. 


assmp-p. 


n.a. 


n.a. 


a 


fail 


T 


n.a. 


var-fail 


fail 


a'^oc" 


fail 


T 


n.a. 


fail 


— > 



Every "fail" in the algorithm corresponds to a situation where the two trees cannot be in the 
inclusion relation. □ 
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4.4 An Implementation 

In order to facilitate the proofs, the representation of data structures and algorithms given in 
4.1 and 4.2 was rather abstract. In this section we show the beginning of a similar treatment for 
more concrete and traditional representations. 

The computational rules in 4.2 can be converted into a straightforward and practical 
algorithm, based on the method of trails [28]. To reflect more closely actual implementations, we 
adopt the additional rules (assmp' A ), and ((Ij-a) described in 4.2. This results in the 

algorithm discussed informally in 1.5, but differs slightly from the one treated formally in 4.2 
and 4.3 where the additional rules are not needed because the systems of equations are taken in 
canonical form. 

A member a of (iTp is represented as a directed cyclic graph 1,S where the nodes in S are 
uniquely labeled (for example by memory addresses), and where 1 is the starting label. Each (J, in 
a corresponds to a cycle in S. 

More concretely, using an informal programming notation, S is a Store, where Store = 
Label^Node are the partial functions from labels to nodes (from memory addresses to memory 
locations). Then Graph = LabelxStore, where Label = Nat, and Node = Bot+Top+Var(Tvar)+ 
Arrow(LabelxLabel)+Rec(Label). 

An allocator transforms a type into a graph structure: 

Alloc: (iTpxStorex(Tvar^Label) -> Graph 

Let new(S) be a label 1 (for example the least one) such that 1 £ dom(S). We denote by S[l=Bot] a 
store that is just like S except that S(l)=Bot. 

Alloc(±, S, e) 4 

let 1 = new(S) in l,S[l=Bot] 
Alloc(T, S, e) 4 

let 1 = new(S) in l,S[l=Top] 
Alloc(t, S, e) 4 

if tedom(e) then e(t),S 

else let l=new(S) in l,S[l=Var(t)] 
Alloc(a^p\ S, e) 4 

let l',S' = Alloc(a, S, e) 

and 1",S" = Alloc(p\ S', e) 

let l=new(S") in l,S"[l=Arrow(r,l")] 
Alloc((it.a, S, e) = 

let 1 = new(S) 

let l',S' = Alloc(a, S[l=Bot], e[t=l]) 
in l,S'[l=Rec(l')] 

The allocation of (it.a is done by reserving a new memory location 1, then allocating the body 
a by binding every occurrence of t to 1, and finally storing a Rec node containing the allocation 
of a back into 1. The store S[l=Bot] is used in the recursion to prevent 1 from being returned 
again by new. 
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Given a path in CO*, we can define a (partial) access function that returns the node 
corresponding to that path in a graph, but skipping over Rec nodes: 

GT : Graph^Tree(L) (Where Tree(L) = CO*— L, section 3.3) 

GT(l,S)(nil) 4 

if S(l) = Rec(l') then GT(1', S)(nil) 

if S(l) = Bot then ± 

if S(l) = Top then T 

if S(l) = Var(t) then t 

if S(l) = Arrow(r,l") then -> 
GT(1, S)(0.s) = 

if S(l) = Rec(l') then GT(1', S)(0.s) 

if S(l) = Arrow(r,l") then GT(l',S)(s) 

else t 
GT(l,S)(l.s) = 

if S(l) = Rec(l') then GT(l',S)(l.s) 

if S(l) = Arrow(r,l") then GT(l",S)(s) 

else t 
GT(l,S)(n+2.s) 4 t 

We now show that Alloc is correct, and that the initial state S is irrelevant. 

4.4.1 Proposition 

VaejiTp. VS,1',S'. 

Alloc(a,S,[]) = l',S' ^ GT(l',S')=Ta 
Proof (sketch) 

If l^dom(S) then S[l=v] is a single extension of S. S' is an extension of S if it is S, or if it is 
the single extension of an extension of S. 

We indicate by S + an arbitrary (finite) extension of S. Note that: 

Ifledom(S)then S(1) = S+(1). 

If Alloc(a, S, e) = l',S' then l'edom(S') and S' is an extension of S. 
VS+. ledom(S) => GT(1,S) = GT(1,S+). 

To obtain the proposition, we need to prove a stronger statement: 

VocefiTp. Vn>0. VS,m 1 ..m n ,a 1 ..a n ,r,S',7t. 
Alloc(a,S,[t i =m i ]) = l',S' a 

(Vti' s.t. I7i'l<l7il. VS+. GT(m i ,S+)(7i')=Ta i (7i') for all ieL.n) ^ 
VS'+. GT(r,S'+)(7t)=T([a i /t i ]a)(7i) 

The proof is then by induction on \%\; the hard case is 7t=i.s, ie {0,1 }, and a = ut.a'— >a". 
□ 



Page 29 



In the implementation of the algorithm, the assumption set E is represented as a trail, that is, 
a set of label pairs. This has the task of remembering the pairs of labels in the cyclic graphs that 
have been jointly visited. 

From two types a and (3 we produce two graphs l a ,S a , lP,S a P such that S a P extends S a . 

Then Alg(0,S a P,l a ,lP) proceeds as follows, mimicking the rules in 4.2: 

Alg(Tr, S, 1, T) 4 
if(U') eTrthenok 
else if S(l) = Bot ok 
else if S(l') = Top then ok 
else if S(l) = Var(t) and S(l') = Var(t) then ok 
else if both S(l) =Arrow(l 1 ,l 2 ) and S(l') = ArrowCl!',^') then 

Alg(Tr, S, l{, k); Alg(Tr, S, 1 2 , 1 2 ') 
else if S(l) = Rec^) and S(l') * Reca^) then 

Alg(TruU,r>,S,l ls r) 
else if S(l) * Recik) and S(l') = Rec(\{) then 

Alg(Tru<U'>, S, 1, l{) 
else if S(l) = Rec(l!) and S(l') = Rec^') then 

Alg(Tru(U'>, S, l h \{) 
else fail 

An alternative approach is to avoid Rec nodes completely, and have the allocator construct 
direct loops in the graph. This leads to an algorithm where trails must be kept of every pair of 
nodes, instead of every pair of nodes of which one is a Rec node. This algorithm is closer to the 
formulation of the rules in 4.2, while the present algorithm, which in practice produces much 
shorter trails, uses the equivalent of the ((Ija) and ((Ij-a) rules described there. 

4.4.2 Definition 

a< c (3 o VS,r,S'J",S". 

Alloc(a,S,[])=r,S' a Alloc(p\S',[])=l",S" => Alg(0,S",r,l") = ok 

From this point on it seems possible to mimic sections 4.3.4-4.3.7, modulo the use of the 
(|i 1A ) and (|i r A) rules, and show a<c(3 iff a<x(3, but we have not checked the cumbersome 
details. 



5. Typing Rules 

In this section we introduce a certain number of axioms and rules for type equality and 
subtyping. These are intended as natural rules for a language based on subtyping, and as a 
specification of a subtyping algorithm for such a language. In section 4 we have studied such a 
subtyping algorithm; here we see that the algorithm and the rules match each other perfectly, by 
relating them both to trees. 
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5.1 Type Equivalence Rules 

We say that a type a is contractive in the type variable t if either t does not occur free in a, or 
a can be rewritten via unfolding as a type of the shape a\ — >0C2- We write this fact as alt. 

It is now easy to observe that the contractiveness of a in t is a sufficient (and necessary) 
condition to enforce the contractiveness of the following functional on the space Tree(L) (3.3): 

G a t (A) 4 [A/t]Ta AeTree(L) 

([A/t]Ta denotes the substitution of the tree A for the occurrences of t in Ta.) 

This remark suggests the following rule that is generalized to a larger calculus in [13]: 

(contract) [p7t]a = p, [p'/t]a = (3', alt (3 = (3' 

In words, if two types |3 and (3' are fixpoints of the same functional a[t], then they are equal since 
contractive functionals have unique fixpoints. This rule was also inspired by a standard proof 
technique for bisimulation [23]. 

Moreover, it is convenient to identify (it.t = ± . 

In this section we consider the equivalence: 

h a=B (ora= (3) 

IV 

meaning that a = (3 can be derived in the congruence induced by the (contract) rule and the (fold- 
unfold) and (|l-±) axioms below. Here is the complete axiomatization: 



(refl) 


a = a 




(symm) 


a = (3 => 


(3=a 


(trans) 


a = (3, p = 


= Y => a =y 


(^-congr) 


a = a', (3 


= (3' ^ a^(3 = a'^p' 


((l-congr) 


a = (3 


(it.a = (it. (3 




(it.t = ± 




(fold-unfold) 


[|it.a/t]a = 


(it.a 


(contract) 


[(3/t]a = (3, 


[P7t]a = p', alt 



5.1.1 Proposition (Soundness of the equivalence rules w.r.t. the trees) 
a= R p Ta=Tp 

Proof 

Immediate by the previous considerations. □ 

5.1.2 Derived Rules 

By means of (contract) and (fold-unfold) it is possible to prove new interesting equivalences, 
for example: 

(1) (it.s^t = |it.s->(s->t) 

(2) (it.jis.a = (iv.[v/t,v/s]a ((i-contraction) 

We make explicit a free variable by writing, for example, a[t]. 
Then we have: 



Page 31 



(1) Consider y[r] = s->(s->r). 

jit.s^t = s^((it.s^t) = s-> (s->(|i.t.s^t)) = y[|it.s— >t]. 
ut.s->(s->t) = s-> (s— >(|LLt.s— >(s— >t))) = y[ji.t.s^(s->t)]. 

(2) Let: a = ut.|is.y[t,s], a' = |is.y[a,s] = a, |3 = |iv.y[v,v]. 
Consider y[w,w]. Then: y[a,a] =y[a,a'] = a' = a and y[|3,|3] = (3. 

5.1.3 Reduction to Canonical Form 

It easy to show that any recursive type is provably equivalent (= ) to a type in canonical 

IV 

form. The strategy can be described as follows: 

(a) Use unfold to get rid of all (i's that do not bind any variable. 

(b) Use u-contraction to reduce sequences of (i's to one (I. 

(c) Use u-± to reduce to ± all subtypes of the shape (it.t. 

5.2 Completeness of Equivalence Rules 

By the strong connection between regular trees and recursive types we show that any time 
two recursive types a, (3 have the same tree expansion Ta=T(3, then we can conclude h cx^(3. 

First we show how to solve systems of type equations. Then we introduce the notion of 
equational characterization of a type; that is, how to characterize a type by a system of type 
equations. Finally we use equational characterizations to prove the completeness theorem. 

In this section we use the following notation. If yhas free variables {u^..u p } c {tj..^}, then 
we write y[oci...a n ] for the substitution [a^/t 1 ... a n /t n ]y. In particular, yftj.-.tj emphasizes a 
superset of the free variables of y. 

5.2.1 Lemma (A system of equations has a solution, by iterated elimination) 
Every system of n equations in n variables: 

ti=yi[t!...y (ieL.n) 
has a solution in the congruence induced by the axiom (fold-unfold). That is, there are aj...a n 
such that h a i =y i [a 1 ...cx n ] (ieL.n). 
Proof 

By induction on n. 
Case n=l. Given the equation t=y[t] just take |lt.y[t]. 

Case n>2. Given the equations ti=yj[t 1 ...t n ] (ie L.n) take a n '[tj...t n . 1 ] = |Jt n .y n [t 1 ...t n ]. 
Consider the system of n-1 equations: t i =y i [t 1 ...t n _ 1 OC n '[ti...t n _i]] (iel..n-l) 
which by inductive hypothesis has solution a 1 ...a n _ 1 , that is : 

a i =Y 1 [ai...a n . 1 |it n .y n [a 1 ...a n _ 1 y] (ieL.n-1) 
Now take a n = |it n .y n [a 1 ...a n . 1 t n ] and check that <ii...a n is a solution for the original system. □ 

5.2.2 Lemma (A system of contractive equations has a unique solution) 

Assume that, for ieL.n, we have two sets of types oq, (3j, related by two systems of equations: 
h a i =y i [a 1 ...oc n ] h Pi=Yi[Pi— P n ] 
such that yifti-.tj Itj for i,jel..n. Then, for all i: h apPj. 
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Proof 

By induction on n. 

Case n=l. We have h a^y[oc] and h (3=y[(3]. Consider the context y[t], by (contract) we have h 
a=(3. 

Case n>2. Consider the n-th equation. We have, by (fold-unfold), 
h jj,t n .Y n [a 1 ...a n . 1 g=Y n [ai-a n -i M.t n .y n [a 1 ...a 11 . 1 g] 

I" ^.YntPl-Pn-l t n ]=Y n [Pl-Pn-l M-WnCPl-Pn-1 tj] 
Hence, by (contract) on t n , h a n =ut n .Y n [a 1 ...a n _ 1 tj, h Pn^tn-YnCP 1— Pn-1 U- 
Take Ytti-.-Vl] = MVYnttl— ^nl- We can now construct a system of size n-1: 

ti=Yi[ti-tn-iY'[ti-Vi]] (iel..n-l) 
and check that both a\...a n _i and Pi---P n _i are solutions. Hence, by inductive hypothesis h ocpPj 
for iel..n-l. Moreover, by congruence we obtain h CX n =(3 n . □ 

5.2.3 Definition 

A node context pf^...^] for peOftj...^} (see 3.3 and proof 4.1.5) is a type of the form 
pO^.-Ugp), where #p is the arity of p, and {u^.u^} cz {^...1^}. 

Node contexts provide a convenient meta-notation for nodes whose children are all type 
variables. For example, the type — Kr,r) can be denoted by the node context — >[r] or (redundantly) 
by — >[r,s,t], and the type — >(r,s) by — >[s,r] among others. 

Note that a node context pftj.-.tj is contractive in each tj, because either tj is prefixed by p or 
does not occur in the type. 

5.2.4 Definition 

A type oce Type is equationally characterized (eq. char.) if there are types <li..a n with a^oq, 
and there are node contexts p^t^-.g, iel..n, for which h (Xj=pj[ai...a n ]. 

An equation, tj=pj[t 1 ...t n ], in a system is reachable from a variable t k if k=j, or if it is 
reachable from the variables in p^ftj.-.g (see 4.1.3). An equation is reachable from another if it 
is reachable from any of the variables in the other. 

5.2.5 Lemma ( Building an equational characterization ) 

Every term oce Type has an equational characterization such that all equations are reachable 
from the first one. 
Proof 

The construction is basically the same as the one in 4.1.5. It is enough to prove by induction 
on the structure of y that every term in uTp is equationally characterized. Then the lemma 
follows by 5.1.3, and by the invariance of equational characterization modulo provable 
equivalence. □ 

5.2.6 Lemma 

Assume Ta=T|3 and h oc=p(ai..a# p ), h (3=q(pY.(3# q ), where p,q e L. Then p=q and 
TapTpj for alii e l..#p. 
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Proof 

By soundness, Ta=Tp(aj..a #p ) and T(3=Tq((3 1 ..(3 #q ). Hence, p=q and TocpTPj by definition 
ofT. □ 

5.2.7 Theorem (Completeness of type equivalence rules) 

If Ta=T(3 then a= R (3 
Proof 

The idea of the proof is as follows: given a and (3 such that Ta=T(3 we produce their 
corresponding equational characterizations, say ec(a) and ec((3). By a collapse of "equivalent" 
equations we derive a new equational characterization ec(y). The solutions of the (smaller) 
system associated with ec(y) can be replicated to produce solutions for the systems associated 
with ec(a) and <?c(|3). Hence we can apply twice Lemma 5.2.2 (uniqueness of solutions) and then 
transitivity to conclude CX=r(3. 

Let Ta=T(3; by Lemma 5.2.5, a, (3 are equationally characterized by oCj, tj=pj[t]_...t ll ] and 
(3j, tj=qj[tx...t m ] so that all equations are reachable from the first ones. 

From these OCpPj we generate a sequence of pairs (A h ,B h ) where A h ,B h are equivalence 
classes of oq and (3j respectively. Moreover, for each h, 0Cji,aj2eA h , and (3ji,(3j2eB h , we shall have 
the invariant Ta il =Ta i 2=T(3j 1 =T(3j2. 

We start with the pair (A^B 1 ) = ({a}, {(3}). At each step we consider all the pairs oq,(3j such that 
ajeA h and (3jeB h for some h. We indicate by oc^j") some oCj depending on both i' and i"; similarly 
for pQ.j"). If a i = p i (a (i)1) ...a (i)#p . ) ) and (3j = q j (p (ja) ...(3 (j?#q . ) ), we have, by Lemma 5.2.6, p i= qj 
and Ta (U) =T|3q tl) ... Ta^^T^^.). We add all the pairs (a',(3')e{(a (ia) ,(3 (ja) ),..., 
( a (i,#p )'P(j,#p ))} m m e following way, respecting the invariant above: 

- if a'eA h and (3'eB h for some h, then nothing is done; 

- else, if oc'eA hl , and |3'eB h2 , with hl^h2, then we replace the pairs 

(A hl ,B hl ) and (A h2 ,B h2 ) by (A hl uA h2 ,B hl uB h2 ); 

- else, if a'eA h we replace the pair (A h ,B h ) by (A h ,B h u{ (3'}); 

- else, if (3'eB h we replace the pair (A h ,B h ) by (A h u{a'},B h ); 

- else we add a new pair ({oc'},{|3'}). 

We stop when the list of pairs no longer changes. This process terminates because there are at 
most n- m pairs to consider. 

The process above produces two partitions of oc^ and |3j of size k<n, k<m, for some k. These 
are total partitions since all equations are reachable from the first ones. These partitions 
determine two functions o:l..n— »l..k and 7U:l..m— >l..k such that: 

- o(i)=7i(j) <=> ajeA h (3jeB h for some h 

- o(il)=a(i2) o aj^a^eA 11 for some h 

- 7i(il)=7i(i2) o p il ,p i2 eB h for some h 

Given these partitions, we now define a system of k equations t h = r^ftj..^], which will turn 
out to be equivalent both to the pj and the qj systems. For hel..k we have: 



Page 34 



t h = r h [t 1 ..t k ] where 

r a(i)[ t l-- t k] = PittaC^-taCn)] 

r 7c(j)[ t i-y = qj[Vi)-Vm)] 

We need to argue that this is a proper definition, since we can have, for example, o(i)=7l(j) for 
some i,j. We show that when this happens, we also have by construction that 
r a(i)[tl-y^ r nO)[ti"tk] ■ Similarly for the other possible conflicts: a(il)=o(i2) for some il,i2, and 
7l(il)=7l(i2) for some jl,j2. To show these facts, we further investigate the properties of a and 7t. 

- o(l) = 7t(l) since a,(3 start in the same pair (A^B 1 ). 

- if o (i) = 7C(j) then Pi=qj. Moreover, let oq = Pi[cxi...a n ]=Pi(0C(ij)...0C(i ? #p.)) and 
(3j = qj[Pi—P m ]=qj(P(j > i)...P(j > #qj)) be the i-th and j-th equations in the respective systems. 
Then 0CjeA h , PjeB h for some h (property above); the pair cq,Pj was considered in the 
process above; that is, the pairs oc^^P^) ... a^^.^P^^.) were also added to the list. 
Therefore o(i,l)=JC(j,l) ... o(i,#Pi)=7C(j,#qj), and p i (t a(i)1) ...t a(i)#p . ) )=qj(t n( j )1) ...t n( j )#q . ) ). This 
is the same as saying Vi[t a( iy..t G{n) ]^qj[t n{l y..t !l{m) \. 

- if o(il) = o(i2) then Pn=p i2 . Moreover, let a u = Pii(a( iltl )...a( ilt#Pil )) and 
a i2 = Pi2( a (i2 l)-- a (i2 #p 2 )) be the il-th and i2-th equations in the a system. Then 
0Cji,0Ci2eA h for some h (property above). Consider any PjeB h ; the pairs CX^,Pj, 0Ci 2 ,Pj were 
considered in the process above, that is the pairs a^j i) 0C(j 2 i)'P(j l) were also added 
to the list. Therefore o(il,l)=7i(j,l)=o(i2,l), and similarly up to a(il,#Pii)=a(i2,#p i2 ). 
Hence: Pii(t a( i U) ...t a(il?#Pii) )=p i2 (t a(i2a) ...t a(i2#p . 2) ). This is the same as saying 

Pi 1 [t<j( 1 ) • • • to (n) ] -Pi2 [ta( 1 ) • • • ^(n)] • 

- similarly for 7t(il) = 7t(i2). 

Hence we conclude: 

- if o(i) = 7t(j) then r^ i) [t 1 ..1| c ]^[t^ 1) ...t^ ll) ]sq j [t n(1) ...t^ m) ]sr nQ) [t 1 ..lk] 

- if o(il)=o(i2) then % (il) [t 1 ..y=p il [t a(1) ...t o(n) ]=p i2 [t a(1) ...t a(n) ]=r a(i2) [t 1 ..y 

- similarly for 7t(jl)=7l(j2) 

Now by Lemma 5.2.1 we can construct a solution of the system t h = ^[tj-.y; that is, we can 
obtain y h .y k such that h y h = r h [y v .y k l 

Then h Ya(i) =r a(i)[Yl-Yk]-Pi[Ya(l)--Ya(n)] for all i. Therefore, the y's (when appropriately 
replicated) satisfy the same system as the a's, and by Lemma 5.2.2 we have h CXj=Ya(i)- Similarly, 
the y' s satisfy the P's system, and h Pj = Yji(j)- Moreover, a (1) = 7t(l), hence 
ha=a 1 =Y a(1) =Y n( i)=Pi=P by transitivity. D 

This constructive proof is based on the one in [25] (see also [21]), but differs in an important 
point as, in addition, we must deal with equivalence classes of types. 

5.2.8 Example 

In this example, arising from a discussion with Mario Coppo, we consider the types: 
a = |it.t->(t^t) p = (it.(t^t)^t 
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We have Toc=T|3, but note that there is no single context that can prove them equivalent by the 
(contract) rule. We must find a third type y which is independently provably equal to a and (3 by 
(contract), and then we can obtain h oc=P by transitivity. To find this y, we instantiate the proof 
of 5.2.7. 

We start with two equational characterizations for a and (3: 

a^a p^p 
a 2 = a^a p 2 = p^p 

Pl [t 1; t 2 ] ^ t^t 2 qi[ti,t 2 ] ^ t^tj 

p 2 [t b t 2 ] 4 tl ->tj q 2 [t 1 ,t 2 ] ^ t!->t! 

That is, the following are provable, by (fold-unfold): 

a : = a^a 2 p : = p2^p : 

a 2 = a 1 ^a 1 p 2 =p 1 ^p 1 

Starting with the list ({cci},{Pi}), we must match the equations for and p^. This involves 
equating the pairs a l5 P 2 (obtaining ({a 1 },(P 1 ,P 2 }), and a 2 ,P 1 (obtaining ({a 1 ,a 2 },(P 1 ,P 2 }). 
Matching the newly inserted pairs does not further modify the situation, hence we have reached 
termination with the partitions: 

({a 1 ,a 2 },{p 1 ,p 2 }) with k=l and o=7t={l i-^l, 2^1} 

The associated system of one equation is = r 1 [t 1 ], where: 



r a(l)[tl] = Pl^aCl)'^)] 



ritti] = 




We now generate a solution for this system: 

Yi = |it.t->t such that h y 1 = Yi^Yi = r^Yi] 
We can verify that (Yi,Yi) solves the a and P systems: 

l"Yi=Pi[Yi.Yi] l"Yi=qi[Yi.Yi] 
^Yi=P2tYbYi] ^Yi=q2tYbYi] 

Hence a proof of hocj=Yi can t> e constructed by Lemma 5.2.2 (more simply, by unfolding h (Xj = 
a 1 ^(a 1 ->a 1 ) and I- Yi = Yi^Yi = Yi - KYi^YiX hence h aj = Yi by (contract)). Similarly, h Yi = 
Pj. Hence by transitivity, h a 1 = Pj. 

5.3 Subtyping Rules 

At first it is not clear how to define a rule for the subtyping of recursive types that is 
sufficiently powerful. In particular, observe that the computational rule (|i A ) in section 4.2 does 
not have any apparent logical meaning as the premise is always valid under a classical reading of 
the entailment relation. 

We now introduce a rule, ((J-r), whose soundness is clear. Later, in section 5.4, we will show 
that in conjunction with the type equivalence rules, (|i R ) leads to a subtyping system complete 
with respect to the tree ordering. 
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We denote with T a set { tj<sj , t n <s n } of subtyping assumptions on type variables. We 
write a subtype judgment as: T id a<(3. 

Define a formal system for deriving this kind of judgments as follows; this is based on the a 
= (3 congruence in 5.1: 



(eqR) 


a = p => r=3a<(3 




(trans R ) 


r^a<(3, rz5(3<y 


=> r 3 a<y 


(assmp R ) 


t<seT => T3t<s 




(-LR) 


rD ±< a 




(tr) 


r z> a < t 




(->r) 


T3a'<a, T3(3< 


p' => rDa^p 


(M-r) 


Tu{t<s} 3CX<|3 => 


rz> (it.a < (is.|3 



with t only in a; s only in P; t,s not in T 

We say a< R P if we can derive 0 3 a<p\ The last rule was proposed in [10] in the 
specification of the Amber programming language as a first attempt to define a theory for the 
subtyping of recursive types. 

5.3.1 Proposition (Soundness of the rule ordering w.r.t. the tree ordering) 

If a< R p then a<pp. 
Proof 

We prove the more general statement: 
If h R {t!<S!, .., t n <s n } 3 0C<|3 

and a^xpj, .., a n < T p n so that [t^s^ .., t^SjJnFVCa^px, <VPn) = 0 
then [a x lt h pYs b .., a n /t n , (3 n /s n ]a <p [a^, pi/s x , .., a n /t n , (3 n /s n ](3. 

The proof goes by induction on the length of the derivation h R . The only interesting cases 
arise for (|i R ) and (eq R ). 

For brevity we write lists such as tj<Sj, t n <s n in the form tj<Sj for a free i. 

Case (|i R ) {tj<Si, t<s} 3 a<(3 => {tj<Sj} z> |it.a< |is.p 
with t£FV(P); s£FV(a); t,s * tj,sj for any i. 
By induction hypothesis: 

Vaj< x (3i, a<pJ3 such that {t i ,s i ,t,s}nFV(a i ,p i ,a,g) = 0. 
[aj/tj, Pj/sj, a/t]a <p [aj/tj, Pj/sj, p/s]P 
Define a 0 = ± a n+1 4 [aj/tj, pj/sj, a n /t]a 

(30 A ± pn+l A [a . /t . ; p. /Si> pn /s] p 

Applying the induction hypothesis with a=a n ,J3=P n we obtain 
a n+1 < T P n+1 for every n. 

For every k we can then choose an n sufficiently large so that: 
((xt.[aj/tj, pj/sj]a)| k = T a n | k < T p n | k = T (^.[ctj/tj, Pi/si]p)| k 

(such n is found by examining how t and s occur in a and P). 

Hence, by definition of <j for recursive types, we have shown: 
[aj/tj, pj/sjKut.a) < T [aj/tj, pj/sj](|is.p) 
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Case (eq R ) oc=r|3 => {tj<Sj}3a<|3 

Since = R is a congruence, we have [a x lt v Pj/sjoc = R [OL x lt v Pj/sjp. 
By soundness of = R we have [aj/tj, Pj/sja =j [aj/tj, (3j/sj](3. Finally, 
[aj/tj, (3j/Sj]a < T [aj/tj, Pj/sjP since < T is apreorder. □ 

Remarks 

5.3.2 It is easy to observe that if we prove something in the system without using (eqg) 
and (trans R ) then all the assumptions, t<s, inserted in T when applying the rule (|i R ) can be 
used only with respect to a pair of positive occurrences of t in a and s in (3. 

5.3.3 Then one may wonder whether the following rule suffices for our purposes [5]: 

oc<p\ Monotonic(t,a), Monotonic(t,|3) => (it.a<(it.(3 

where Monotonic(t,a) iff t does not occur negatively in a. 

Unfortunately it does not, as we cannot prove inclusions involving negative occurrences, as 
in (it.t^t <|it.±->t. 

Moreover, one must be careful in defining "t does not occur negatively in a" for recursive 
types, in order to ensure that a is really monotonic in t (for example, jis.s— >t is not monotonic 
in t): 

PosAlso(t,t) = True, PosAlso(t,s) = False (s*t) 
PosAlso(t,±) = False, PosAlso(t,T) = False 
PosAlso(t,a->|3) = NegAlso(t,a) v PosAlso(t,(3) 
PosAlso(t,(is.a) = (NegAlso(s,a) AteFV(a)) v PosAlso(t,a) (s*t) 

NegAlso(t,s) = False (even when s=t) 
NegAlso(t,±) = False, NegAlso(t,T) = False 
NegAlso(t,a^(3) = PosAlso(t,a) v NegAlso(t,|3) 
NegAlso(t,(is.a) = (NegAlso(s,a) a teFV(a)) v NegAlso(t,a) (sA) 

Monotonic(t, a) = -i NegAlso(t, a) 

Under these conditions, it is possible to show that the rule above is provable from the 
system in 5.3. 

5.4 Completeness of Subtyping Rules. 

In proving the completeness of the subtyping rules w.r.t. the tree ordering, it seems helpful to 
go through the algorithm. The rather obvious approach of extracting a proof from a successful 
execution tree is complicated by the lack of correspondence between the computational rule (|i A ) 
and the rule (|l R ), as the former can be applied repeatedly on the same variable, whereas the latter 
can be applied at most once. 

One may wonder if it is possible to rearrange the regular systems, while preserving type 
equivalence, so that during the execution we never have to expand twice the same variable by 
means of ((l^)- 

Naively this corresponds to a controlled unfolding of the recursive types so that the 
corresponding (i's appear at the same time in the visit of the trees. ^For example, to prove (it.t— >t 
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< R |ls.(|ls'.T— >s')^>s, we unfold the first type to |it.((it'.t'^t')^t; note that this is not the 
unfolding given by the (fold-unfold) rule. 

If h A £,£3t<s (see 4.2.3), we say that (the successful execution tree of) the initial goal 
E,£=3t<s has the one-expansion property iff the following is true: for every teDom(e) and for each 
path p of the execution tree, t is expanded in a ((J, A ) node of p at most once. 

It follows that with one-expansion, each variable can be inserted in E in a unique way, so that 
for each pair of assumptions t\<S\, ^2-^2 e E we have that t^s^^ are pairwise distinct. 
Moreover, if we consider two (|i A ) nodes E,ez)t^<s^, E,£=3t2<S2 on the same path then t^Sj^^ 
are pairwise distinct, and if we consider a (ji A ) node S] and an (assmp A ) node £,E3t2<S2 

on the same path then either tj=t 2 , $\=S2 or tj,Sj,t2,S2 are pairwise distinct. 

5.4.1 Lemma (Putting recursions in lockstep) 

If h A E,E3t<s then there are 0, r, u such that h A Z,03r<u, Sol(r,0) = Sol(t,e), Sol(u,0) = 
Sol(s,8) and E,0z>r<u satisfies the one-expansion property. 
Proof 

Given the initial goal Z,83t<s and the related successful execution tree we build a new 
judgment Z,03r<u such that the following properties hold: 

(a) E,0z>r<u is an initial goal. 

(b) Sol(r,0) = Sol(t,e) and Sol(u,0) = Sol(s,e). 

(c) h A Z,03r<u, and the execution tree is equal to the one 
for E,£i3t<s modulo variable renaming. 

(d) £,03 r<u satisfies the one-expansion property. 

First we build the execution tree of E,£=3t<s. Then we associate with every node of the tree a 
couple (r, u) (or (u, r) on negative branches) of fresh variables with the following constraint; with 
every assumption leaf for t<s we associate the same pair of variables as with the (I node where 
the assumption t<s has been introduced into £ (if any). 

Next generate 0 according to the following cases: 

Case (|l--L). Say we are in the situation: Z',83±<(3 => £',£3t<s 0 where £(t)=± . If (r,u 0 ) is the 
pair of variables associated with the (i-node add the equations: 
r=± 

[uo/so^/s!, u n /s n ](si=8(Si)) for ie0..n 
where u^...u n are fresh variables and s^.^ are the variables reachable from s 0 in the system 8, 
that is {sj.-.Sjj} = Reach(s 0 , e)nDom(e). 

Case (|I-t). Analogous. 

Case (|l-var). Say we are in the situation Z',83a<a => E',83t<s . If (r,u) is the pair of variables 
associated with the (l-node, we add a pair of equations: r=a, u=a. 

Case (|l — >). Say we are in the situation: 
Z'u{ t<s } .e^s^ , E'u{ t<s } ,83t 2 <s 2 

^> Z'u{t<s},83t 1 ^t 2 <S 1 ^S2 ^> Z',83t<S 
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where we have the fresh variables r,r lv r 2 for t,t 1? t 2 and u,ui,u 2 for s,si,s 2 (the variables associated 
to an — >-node are inessential) then we generate the equations r=rj— >r 2 and u=Uj— >u 2 . 

Case (u-assmpl). Say we are in the situation: E',83a<b => E',83t<s where a<be L. If (r,u) is 
the pair of variables associated with the Li-node, we add a pair of equations: r=a, u=b. 

Case (|i-assmp2). Finally, if we visit a node in which we apply the rule (assmp A ) w.r.t. an 
assumption added during the computation then we do not generate any equation. In fact, the 
equations corresponding to those variables are defined in the corresponding Li-node in which the 
assumption was made. 

Let us now consider the properties (a-d): 

(a) Follows from the use of fresh variables. 

(b) In the first place one establishes a relation R, say, between the variables reachable from t and 
those reachable from r. In general we will have a situation in which a variable t may correspond 
to many variables r^...r n . Next, prove by induction on the lowest level of the appearance of r in 
the execution tree and Itc I that (t, r)eR implies Sol(r,0)(7l) = Sol(t,e)(7l). 

(c) By construction at each step we can apply the same computational rule. 

(d) This is a consequence of the constraint on the assignment of fresh variables to nodes. □ 

5.4.2 Example 

Consider the types: |lt.T— >t <p ±— >(|is.s— >s). These types are in minimal form, i.e. they are 
the smallest types that can describe the corresponding regular trees, but still the recursions are 
not in lockstep; we need to transform them into more redundant forms, in order to synchronize 
them. In the following we pedantically apply the procedure described in the proof of the previous 
lemma. 

Let us assume that the types are described by the canonical system e: 
e = £iUE 2 , ej = {tx=t 2 — »tx, t 2 =T}, e 2 = {s 1 =s 2 ^s 3 , s 2 =±, s 3 =s 3 ^s 3 }. 
The following describes the successful execution tree associated to the initial goal 0,£3t 1 <s 1 : 

(t a ) (assmp A ) 

=> {t 1 <S 1 ,t 1 <S 3 },8=5S 3 <t 2 => {t 1 <S 1 ,t 1 <S 3 },83t 1 <S 3 

(-la) => {ti<S 1 ,t 1 <S 3 },83t 2 ^t 1 <S 3 ^S 3 

=> {t 1 <S 1 },83S 2 <t 2 => {t 1 <S 1 },83t 1 <S 3 

=> {t 1 <S 1 },83t 2 ^t 1 <S 2 ^S 3 
=> 0,83t 1 <S 1 

Observe that this execution tree does not have the one-expansion property as the variable tj is 
expanded twice. Hence we start associating fresh variables to each node according to the rules 
described in the proof. The following describes which rule is being applied at each node of the 
execution tree, and which pair of fresh variables we associate to each node. 
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(t a ) (u 6 ,r 6 ) (assmp A ) (r 3 ,u 3 ) 

(~>a) ( r 5> u 5) 
(J-A) ( u 4' r 4) (Ha) ( r 3' u 3) 

(->A) ( r 2' u 2) 

(Ha) ( r b u i) 

We now compute the new type environment 0 = 0 iU0 2 , where: 

01 = {r 1= r 4 ^r 3 , r 4 =T, r 3 =r 6 ^r 3 , r 6 =T}, 

0 2 = { Ul =u 4 ^u 3 , u 4 =±, u 3 =u 6 ^u 3 , u 6 =u 6 ^u 6 } 

Observe here that the equation U6=ug— >U6 is generated by calculating: [ug/s 3 ](s 3 =e(s 3 )). No more 
equations are needed as s 3 is the only variable reachable from s 3 . Verify that: 

T(jit.T->t) = Sol(t b 8) = Sol(r b 0), T(±->Qis.s->s)) = Sol(s b 8) = Sol(u b 0). 

We finally compute the successful execution tree, with one expansion property, associated to the 
initial goal 0,03rj<uj : 

(Ta) (assmp A ) 
^> {rj^Ux^^J.toug^rg ^> {r 1 <u 1 ,r 3 <U3},te>r 3 <U3 

(-La) => { r l^ u b r 3^ u 3}' 0=3r 6^ r 3^ u 6^ u 3 

=> {r!<Ui},03U4<r4 => {ri<ui},93r3<U3 

=> {r 1 <u 1 },03r 4 ^r 3 <u 4 ^u 3 

=> 0,0z>ri<ui 

5.4.3 Lemma (From the execution tree to the proof tree) 

If h A Z,ei5t<s (see 4.2.3) and its execution tree has the one-expansion 
property, then h R E id <t,8> < <s,8>. 

Proof 

We proceed by induction on the depth k of the successful execution tree of an initial goal 
E,e=3t<s (see 4.2). Depth is measured by the number of adjacent pairs of nodes (|X A )-(— > A ) in the 
longest branch from the root. In the inductive case, each subgoal is converted into an initial goal 
of the same depth, in order to apply the induction hypothesis. 

Case k=0. 

The tree consists of a (|l A ) root (since the goal is initial) and a single leaf which is either 
(assmp A ), (J- A ), (t a ), or (var A ). Then after the application of the (|i A ) rule, with s,teDom(e), we 
are in a terminal case Eu{t<s},8 3 e(t)<e(s). 

Subcase (assmp A ). Eu{t<s},E zd a<b, where e(t)=a, e(s)=b, and a<be£. 
Then a,b£Dom(e) (by definition of Tenv), and (t,8>=(Jt.a=a, (s,e)=(is.b=b. 
By (assmp R ), a<be Z^h R lD a<b. 

Conclude by (eq R ): h R ZD |it.a<a, h R ED b<(is.b, and (trans R ). 

Subcase (± A ). Lu{t<s},e 3 ±<e(s), where e(t)=±. 
Then (t,e)=(it.±=± and we have h R E id _l < (s,e). 
Conclude by (eq R ) and (trans R ). 
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Subcase (t a ). Similar. 

Subcase (var A ). Eu{t<s},£ 3 a<a, where e(t)=e(s)=a and a^Dom(e). 
Then (t,e)=(it.a=a=(is.a=<s,e). We can apply (e.q$): £ id a<a, 
then conclude with (eq R ) and (trans R ). 

Case k>0. 

The tree has a (|i A ) root with a (— > A ) child, hence e(t)=tj^t 2 , e(s)=sj^s 2 , where by 
definition of Tenv ti,t 2 ,si,s 2 eDom(e): 

Eu{t<s},8 ID S!<t!, Zu{t<s},8 3t 2 <s 2 

=> Eu{t<s},£3 — >t 2 < S}— >S 2 
^> £,£3t<S 

We initially focus on one of the subgoals of depth k-1: 

(A) Eu{t<s},83t 2 <S2 

Let us consider the following goal (B), which we intend to subject, instead of (A), to the 
induction hypothesis: 

(B) Zu{t<s},e'3o(t 2 )<o(s 2 ) 

where G=[t'/t, s'/s] is a substitution with fresh variables t' and s', and 8' =a(£\t\s)u{t'=t, s'=s}. 

First we show that the goal (B) is initial. Since h A E,e=3t<s is initial we have: 
Vars(£)nDom(e)=0 

8=8!U8 2 with Dom(8 1 )nDom(8 2 )=0, such that teDom(e 1 ), seDom(e 2 ) 
Hence we also have: 

tj,t 2 eDom(8i) (only); si,s 2 eDom(e 2 ) (only) 

e'=e'iue' 2 where e' 1 =o(8 1 \t)u{t'=t}, £' 2 =g(£ 2 \s)u{s'=s} 
From which we conclude: 

Vars(Eu { t< s } )nDom(e')=0 

Dom(E' j)nDom(E' 2 )=0 

o(t 2 )eDom(e' 1 ), because: 

if t 2 =t then o(t 2 )=t' and t'eDom(e'j); (t 2 =s is not possible) 

if t 2 ^t then o(t 2 )=t 2 ; since t 2 eDom(8 1 ), we have o(t 2 )eDom(e' 1 ) 

a(s 2 )eDom(e' 2 ), similarly. 

Second, let Tree(A) be the execution subtree of root (A), and Tree(B) be the execution tree of 
root (B). We show, by induction on the length of the longest path in Tree(A), that we can build a 
tree T such that: (1) T has the same depth as Tree(A); (2) T succeeds; (3) T expands the same 
variables as Tree(A) in (|i A ) nodes, with the exception of t',s'; (4) T has the one-expansion 
property; and (5) T = Tree(B). (Hence, we also have h A (B).) 

We proceed by induction on each subgoal A = Eu{t<s},£ixx<J3 of Tree(A), for which we 
build a subtree T of the shape Eu{t<s},£'3a(a)<a(J3). 

For the case (assmp A ) we have Eu{t<s},£3t<s with ^seEu{t<s}. By the properties of one- 
expansion noted in 5.4, we only need to consider the cases when either t=t and s=s, or t,s,t,s are 
pairwise distinct. 
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If t=t, s=s then Tree(A) is Eu{t<s},E3t<s, and T is taken to be Eu{t<s,t'<s'},£'=>t<s ^> 
Eu{t<s},£'z>t'<s', which is successful by (assmp A ) and (|l A ), and has one-expansion. This T is 
longer but it still has depth 0. 

If t,t,s,s are pairwise distinct then Tree(A) is Eu{t<s,t<s},£3t<s, and T is taken to be 
Eu{t<s,t<s},£3^s which is successful by (assmp A ), has one-expansion, and has depth 0. 

For the case (|i A ) we must have, by one-expansion, t,t,s,s pairwise distinct. Then Tree(A) has 
the shape: 

Zu{^s,t<s}, 8 3 e(t)<8(s) ^> Zu{t<s},83t<s with t,seDom(e). 
Now o(t)=t, o(s)=s, and since t,seDom(e') we have e'(t)=o(e(t)), e'(s)=c(e(s)). The tree T is then 
chosen with the shape: 

Eu{^s,t<s}, 8' 3 o(e(t))<a(e(s)) => Su{t<s}, £3 ^s 
hence preserving success and depth by (|i A ) and the induction hypothesis. One-expansion is 
preserved because, by induction hypothesis, T expands the same variables in (|i A ) node as 
Tree(A), which has one-expansion; except that t',s' are expanded in the (assmp A ) case, but in the 
present situation t,s,t',s' are distinct. 

The other cases do not pose difficulties. One-expansion for the (— > A ) case follows from one- 
expansion of the two branches, since one-expansion is defined path- wise. 

Hence we can apply the induction hypothesis to (B), obtaining: 

h R Eu{t<sj 3 <Gt 2 ,£'} < <GS 2 ,£'} 

Then, by the equivalences (at2,£')= R (t 2 ,£\t), (as2,£')= R (s2,£\s), and (eq R ), (trans R ): 
h R Eu{t<sj 3 <t 2 ,£\t> < <s 2 ,£\s) 
By a similar argument on Zu{t<s},£=?Sj<tj we obtain: 

h R Zu{t<s} 3 (s b £\s> < <t l5 £\t) 

Finally: 

^> Zu{t<s} 3 (t l5 e\t)^(t2,e\t) < <s 1 ,£\s>^(s2,£\s> (— > R ) 

O Eu{t<s} 3 <£(t),£\t) < <£(S),£\S> 

^ED |lt.(£(t),£\t) < (iS.<£(s),£\s> (|I R ) 

O E 3 (t,£> < (S,£> □ 

5.4.4 Example 

We describe how to associate a proof tree to the execution tree with one expansion property 
built in 5.4.2, by repeatedly applying the inductive proof just presented. For convenience we 
rewrite here the execution tree: 

(J a) (assmp A ) 
^> [Ti<Ui,T 3 <u 3 },Q=m^i 6 {r 1 <u 1 ,r3<u 3 },e3r 3 <U3 
(J-a) => {ri^u 1 ,r 3 <u 3 },03r 6 ^r3<u 6 ^U3 

=> {r 1 <u 1 },63u 4 <r 4 => {r 1 <u 1 },03r 3 <u 3 

=> {r 1 <Ui},03r4^r3<U4— >U3 
=> 0,03r 1 <u 1 

where 0 = 0 iU02, with: 
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0! = {r 1= r 4 ^r 3 , r 4 =T, r 3 =r 6 ^r 3 , r 6 =T}, 

0 2 = { Ul =u 4 ^u 3 , u 4 =±, u 3 =u 6 ^u 3 , u 6 =u 6 ^u 6 } 

Proceeding from the root we first fall on an inductive case. Hence we reapply the procedure 
to the modified subgoals: 

{r 1 <u 1 },e , =>u 4 <r4 {r^U! },0'3r 3 <u 3 

where: 0' = 0'iU0' 2 , c = [r'/r h u'/u{\, 

Q\ = affifti) u {rWj} = {r 4 =T, r 3 =r 6 ^r 3 , r 6 =T, rWj}, 

0' 2 = o(0 2 \ui) u {u'^} = {u 4 =±, u 3 =u 6 ^u 3 , u 6 =u 6 ^u 6 , U'=Ui). 

The first modified subgoal, {rj<u^ },0'3u 4 <r 4 , leads to a subcase (J-a)- Hence we have: 

h R {r^uj } 3 <u 4 ,0'> < <r 4 ,0'>, <u 4 ,0'> = ±, <r 4 ,0'> = T (a) 

The second modified subgoal, {r^u^ },03r 3 <u 3 , leads again to an inductive case. Hence we 
generate two new modified subgoals: 

{ri<ui,r 3 <u 3 },0"3u 6 <r 6 {r^u^^hG'^r^ 

where: 0" = G^uG'^, o = [r"/r 3 , u"/u 3 ], 

0"! = o(Q\\r 3 ) u {r"=r 3 } = {r 4 =T, r 6 =T, r'=r b r"=r 3 }, 

0" 2 = a(0' 2 \u 3 ) u {u"=u 3 } = {u 4 =±, u 6 =u 6 ^u 6 , u'=u b u"=u 3 } . 

The first modified subgoal, {r 1 <Ui,r 3 <u 3 },0"=5U6<r 6 , leads to a subcase (t a ). Hence we have: 

h R { ri < Ul ,r 3 <u 3 } 3 <u 6 ,0"> < <r 6 ,0">, (b) 
<u 6 ,0"> = (iu 6 .u 6 ^u 6 , <r 6 ,0"> = T 

The second modified subgoal, {r 1 <u 1 ,r 3 <u 3 },0"=3r 3 <u 3 , leads to a subcase (assmp A ). Hence we 
have: 

h R { ri < Ul ,r 3 <u 3 } 3 <r 3 ,0"> <<u 3 ,0">, (c) 
<r 3 ,0"> = r 3 , <u 3 ,0"> = u 3 

We can now build the proof tree, bottom up, using the proofs (a), (b), (c) as leaves: 

{ri<ui,r 3 <u 3 } 3 |iu 6 .u 6 ^u 6 < T {r^u^r^} 3 r 3 < u 3 

{ ri < Ul ,r 3 <u 3 } 3 T^r 3 < (uu 6 .u 6 ^u 6 )^u 3 
{r!< Ul } 3 ±<T {r^uj } 3 nr 3 .(T->r 3 ) < nu 3 .((nu 6 .u 6 ->u 6 )->u 3 ) 

{r^ux) 3 (T^ur 3 .(T^r 3 )) < (±^uu 3 .((|iu 6 .u 6 ^u 6 )^u 3 )) 
0 3 ur^T^ur^T^)) < (0,u 1 .(±^(iu 3 .((^iu 6 .u 6 ^u 6 )^u 3 )) 

It just remains to observe the following equivalences to get back to the types we started with in 
5.4.2: 

ur^T^ur^T^)) = R T^ur 3 .(T^r 3 ) = R ur 3 .(T^r 3 ), and 
^iu 1 .(±^^iu 3 .((^iu 6 .u 6 ^u 6 )^u 3 )) = R ±^uu 3 .((|iu 6 .u 6 ^u 6 )^u 3 ) = R 
±^(uu 6 .u 6 ^u 6 ) . □ 
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5.4.5 Theorem (Completeness of the subtyping rules) 

If a< T p then a< R (3. 
Proof 

If a<j(3 then a<^(3 by completeness of the algorithm (4.3.7). Consider the corresponding 
successful execution tree and apply the lockstep recursion lemma 5.4.1, obtaining a tree for 
a'< A (3' with a= T a' and |3= T (3'. By lemma 5.4.3 we can now extract from the new execution tree a 
proof of oc'< R |3'. Applying the completeness of the rules for type equivalence we conclude a= R a' 
and (3=r(3'. Finally we derive a< R (3 by (eq R ) and (trans R ). □ 



6. A Per Model 

We sketch the main features of a model described in [1] (see also [14] for a related work) 
based on complete uniform pers over a X-model [26] . 

Per (partial equivalence relation) models provide an interpretation of subtyping as set- 
theoretic containment of the relations [7]. In addition, these structures have very interesting 
categorical properties (in particular cartesian closure and interpretation of second-order 
quantification as intersection, see [19]) that entail a satisfying interpretation of higher-order typed 
X-calculi. The particular class of pers considered here preserves the previous properties while 
providing a solution of recursive domain equations up to equality. This result is obtained by an 
application of Banach's theorem on the uniqueness of the fixpoint of a contractive operator over a 
complete metric space. 

6.1 Realizability Structure 

Consider the functor G(D) = + DxD + At defined in the category of complete partial 
orders (cpo's) and projection pairs. The cpo At is a collection of atomic values, and + is the 
coalesced sum. The morphism part of G is standard. 

The cpo is the initial fixpoint of the functor G, that is the colimit of the following u> 
diagram: 

D 0 = O (O is the initial object; the cpo with one element) 

D n+ l = D n D n + D n xD n + At = G(D n ) 

with uniquely determined projection pairs (i n ,n+lJn+l,n) : D n — >D n+1 . 

Let (i n ,j n ) be the projection pair between D n and D^. Let e n = i n (j n (e)) for eeD^. We have 
U n < ( o{e n } = e, where "|J" denotes, as usual, the join. The cpo's D^oo and D^xD^are projected 
into by means of the projection pairs: (i, j) and ([ , ], p). The operation of application on is 
defined as usual as: fd=j(f)(d). 

6.2 Complete Uniform Pers 

A per A over is complete and uniform 3 (henceforth cuper) iff 



'A term suggested by M. Abadi and G. Plotkin. 
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(1) (± D , ± D ) e A (± D is the least element of the cpo D^) 

(2) If XcA Fs directed in dJxD^ then U x e A 

(3) If (e,e') e A then Vn. (e n , e' n ) e A 

We will consider the full subcategory of complete and uniform pers, therefore the morphisms 
are defined as usual as: 

cuper[A, B] 4 {f : DJA^DJB I 34>e D^. VdeD^. (d,d)eA ^ (|)def([d] A ) } 
where [d] A = {eeD^ I (d, e)eA}, and DJA 4 {[d] A l (d, d)eA} 

Let A| n = A n i n (D n )xi n (D n ). Given A, B cupers we can define as for ideals (see [20]): 

closeness: c(A,B) = °°, ifA=B; max{nl A| n =B| n }, o.w. 

distance: d(A,B) = 0, if c(A,B) = °°; 2" C ( A 3), o.w. 

6.2.1 Subtype Interpretation 

Following [11] and [7] we say that the cuper A is a subtype of the cuper B iff AcB. This is 
easily shown to correspond to the existence of a unique map in the category that is realized by 
the identity. Such maps play the role of coercions from A to B. 

6.2.2 Type Interpretation 

A type environment T| is a map from type variables to cupers: T| : Tvar— >cuper. A type 
interpretation of a type a in an environment T| is written as [oc1t|. 

In view of the interpretation of subtyping, the interpretation of type variables and type 
constants is naturally given as follows: 

Uflr| 4 { ( ±Doo , ±D J } [Tin = DooXD^ = Top [tin = Tl (t) 

As we already mentioned, cuper is a cartesian closed category. In particular, given A, B cupers 
the exponent B A is defined as follows: 

(f, g) e B A o V d,e. (d, e) eA => (fd, ge) e B 

This interpretation of the arrow is sometime referred to as simple. 

In general, every object exp(A, B) isomorphic to the simple interpretation will enjoy the same 
categorical properties. Therefore, we assume exp is a binary operator on cupers satisfying: 

exp(A, B) = B A 

However, not any choice will be satisfying from our point of view. In order to complete the 
interpretation we need two more properties of the operator exp, namely, contractiveness and 
( anti-)monotonicity. 

6.2.3 Contractiveness 

The set of cupers endowed with the metric d is a complete metric space. We require that the 
behavior of exp at level n+1 is determined by the value of the arguments up to level n: 

exp(A, B) !n+1 = exp(A !n , B| n ) b+1 
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Under this condition the exponentiation operator is contractive on the space (cuper, d) as it 
satisfies the following property: 

A ln=A'| n , B| n =B'| n => exp(A, B) !n+1 = exp(A\ B')| n +l- 

It turns out that every definable type operator is either contractive or the identity, and therefore 
admits a least fixpoint. The type-interpretation w.r.t. a contractive exponent exp(A, B) is 
completed as follows: 

[cc->pflTi 4 expflaln, ttplri) ^t.aflr| 4 Lfp(XAlaflr| [A yt]) (Lfpsleast fixpoint). 

6.2.4 Soundness of the (— >) subtyping rule 

In order to have a sound interpretation of the (— >) rule in 3.1 it is convenient that the operator 
exp satisfies the following additional condition: 

A'cA, BcB' => exp(A, B) c exp(A, B') 
Proviso 

We can summarize our discussion as follows. We assume to have a binary operator, exp: 
cuperxcuper— >cuper, satisfying the following three properties, for any A, A', B, B': 

exp(A, B) = B A 

exp(A, B) !n+1 = exp(A !n , B !n )| n+1 

A'cA, BcB' => exp(A, B) c exp(A, B') 

The simple interpretation defined above provides an example of such operator. The F- 
interpretation discussed in 6.3 provides yet another example. 

We can interpret the types parametrically in the operator exp as follows: 

iLln 4 { (_l Doo , ± D J } Mri 4 D^xD^ = Top tlr] 4 n (t) 

tta-»pin 4 exp([alri, ipiq) [(^t.alri 4 Lfp(XAla]ri[Ayt]) (Lfp=least fixpoint). 

The three conditions above are also sufficient to obtain the following soundness theorem. We 
write 1= a<|3 iff, given any operator exp, with relative type-interpretation [ 1, we have Mr] c d(31ri 
for any r|: Tvar-^cuper. 

We also write I=Td a<(3. As usual this means: Vr|. (r\\= T => r[l= a<(3). 

6.2.5 Theorem (Soundness of the tree ordering w.r.t. the model) 
Given a, |3 types, if a< x (3 then 1= a<|3 . 

Proof (sketch) 

Given a per A we define its completion cmpl(A) as the least cuper that contains A: 

cmpl(A) 4 p| {B cuper I AcB} 

Given a tree A in Tree(L) we define its interpretation as the completion of the set-theoretic 
union of the interpretations of its syntactic approximants: 

[Aflr, 4 cmpl(Uk <0 M| k Jr|) 



Page 47 



It is easy to observe that {[A| k Jr] I k<0)} is a growing chain of cupers. 
Now we need the following fact (see [1]): 

Vn,a. 3N. Vk>N. l(a)Jr\ = l(a\ k )Jf\ 

where by definition tt(p) n Jr| = ttplr) n i n (D n )xi n (D n ). 

In other words, if we are interested in the interpretation of the type a up to the n-th level of 
the construction of , it is enough to unfold a up to a certain level N and just consider the 
interpretation of this finite part of the associated tree expansion. 

Next we use the fact that Mr] = cmpl(U n <o)I( a )nI r l)- F rom this we can conclude lair\ c 
[Taflr|. 

Vice versa observe that Vk. Icq k lr) c Mr). Hence Hair) = [TaJr). 

Finally, Toe <o T(3 => Vk. (a| k < (3| k ) => Vk. Icq k h\ c I(3| k h\ => Iain c ipir|. □ 

6.2.6 Proposition (Soundness of the rule ordering w.r.t. the model) 

If h R T 3 a<|3 then \=Tzd a<(3. 
Proof 

For the soundness of the type equivalence rules (5.1) one observes that the contractiveness of 
a in t is a sufficient (and necessary) condition to enforce the contractiveness of the following 
functional on the space cuper D (6.2): 

G oc,r|,t( A ) = HoclrtfA/t] Aecuper Doo 

As for the subtyping rules (5.3) the problem is to check the soundness of (|Ir). Suppose T|l= T. 
By hypothesis we have: 

VA,Bcuper. AcB ^ G a (A) 4 [alr|[A/t] c I(31ri[B/t] 4 G p (B) 

Therefore we have: Vn. G a n (Bot) c Gp n (Bot), where Bot = {(± Doo , J-dJI- 
It can be proved (see [1]) that for any type y: 

tt(|it.Y) n lr| 4 [|it.Ylri n D n xD n = G^Bot) n D n xD n 

And from E(J,t.y]ri = cmpl(U n<(0 [[((it.Y) n lri) we have the thesis. □ 

6.3 Completeness of an F-interpretation 

We now consider an F-interpretation of — > (see [27]) that is isomorphic to the simple 
interpretation and still satisfies the properties in 6.2.3 and 6.2.4. We will also use this 
interpretation for the completeness theorem 6.3.4. 

Define: (BA) F 4 B A n F 2 u {(±> ^ (f> J _ )> (f> f) } 

where F is the embedding of the functional space D^D^ into and f is the embedding of a 
distinct symbol of At into D^. 

Roughly speaking (B^) F is built from BA by selecting among those elements that are 
"functions" in the underlying X-model and by attaching to ± a label f. We introduce the label 
f in order to distinguish the functional type T— >± from ± (see lemma 6.3.3). As an exercise one 
can try to give the complete rules for the "pure" version of the F-interpretation: (bA) f , 4 bA n 
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F2. A more difficult exercise is to define a complete system for the simple semantics. In this case 
further identifications like |lt.t— >t = T take place. 

6.3.1 F-theory of subtyping 

Rather than giving some abstract definition of model that naively reflects the conditions for 
the soundness theorem and look for some ad hoc completeness result, we prefer to concentrate on 
a specific interpretation. 

As a typical example, we characterize the subtypings valid in every F -interpretation. We 
write l=p a<(3 iff for any type structure M constructed as just described, we have [air] c [|3]]r| (or 
equivalently r|l=p a<(3) with respect to the induced F-interpretation and for any type environment 

TV 

In order to prove the completeness of the theory it will be enough to use the elementary 
substructure of ideals. Ideals are cupers with just one equivalence class; they are closed w.r.t. the 
standard operations over cupers. 

Consider the type a— >T. Both in the simple interpretation and in the F-interpretation its 
meaning is essentially independent from a (this is not clearly the case for the tree equivalence). 

In particular in the F-interpretation one has: 

(<£) a^(3 < y->T 
where y— >T plays the role of supertype of all the functional types as: 
tty-^Tlri = U->tJti = f2 u {(±, f), (f, ±), (f, f)} 

Add to the subtyping system in 3.1 the axiom ($). Denote with h^, formal derivability in this 
new system. Write oc<4,|3 iff h^, a<p\ 

By examining the twenty five possible combinations of rules and axioms it turns out that the 
relation <<p on the collection of non-recursive types is a preorder (as in 3.1, one shows the 
transitive rule is derived by case analysis). 

Next, extend the preorder to recursive types by defining an ordering on trees as: A 
^ B iff Vk. (A| k <4,B| k ). Also define: a<^ iff Ta^Tp. 

6.3.2 Lemma 

Let a be a recursive type and r\ be a type environment. If Ta^T and for each type variable t 
free in a we have r|(t)^ Top then Mr] ^ Top. 
Proof 

By induction on the structure of a. In particular, if a = (lt.(3 then either Ta=± and the 
interpretation is the least cuper, or Tcc=t and we can use the hypothesis on r], or the interpretation 
is a cuper A that solves the equation: 

A = (Gi(A)G2(A)) F for some definable operators Gi and G2 • 
This forces Ac Top. □ 
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6.3.3 Lemma (Separation) 

Suppose is an algebraic cpo. There is a type environment t| such that whenever a ((3) 
matches an element of the column (row) then Mr| c I(31ri iff the situation described at the 
corresponding intersection occurs: 
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± 


T 


s 




a'->|3' (3'*t) 


± 


yes 


yes 


yes 


yes 


yes 
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no 
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no 
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no 
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no 
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if t=s 


no 


no 


OC^p (P*T) 


no 
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no 
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no 


no 


yes 


no 


yes 


a'<a,p<|3' 



Proof 

As we already mentioned, it will be enough to consider ideals, that is, subsets of with 
particular closure properties. 

Let us choose an environment r\ s.t. T|(t) = {±, A^} where is an element of the flat cpo At. Of 
course t^s => A-t^X s and X^t f. 

The only interesting problem is to show that in the case (a— >p\oc'— >|3') the condition a'<a, 
(3<(3' is in fact necessary. 

First observe that l$h\ c [|3']]r] . Otherwise pick up deHptqViP'lT] and consider the constant map 
Xx.d that belongs to [[a^plr|\M^|3']]r|. 

On the other hand, since by lemma 6.3.2 3eeTop\[[|3']]r|. If the set MJr|\Mr| is not 
empty then it contains a compact element d 0 . Consider the continuous function step^ e that 
evaluates to e for elements greater than or equal to d G , and to ± otherwise. Then such a function 
belongs to [a^|3]]r|\M^|3']]r|. 

Note that we use the downward closure property of ideals to prove that the elements greater than 
or equal to d G do not belong to Mr]. □ 

6.3.4 Proposition ( Completeness for <ipj ) 

Given recursive types a and (3, l=p a<(3 iff a<4, T p\ 
Proof 

The soundness follows from the discussion in 6.3.1 and the more general soundness result 
presented in 6.2.5. 

For showing completeness, consider the type structure and the type environment t] in lemma 
6.3.3. Given a, (3, we want to show Vk. oq k Pi k whenever r] 1= a<(3. 

Observe that the relation <^,^ is invariant under unfolding and under transformations of types 
of the shape a— >t to ±— >t. 

Fix k and unfold the types so that no (I appears before the k-th level. Transform all the 
subtypes of the shape a— >t in j_— >t. 

Proceed by induction on k to show that the conditions in the table 6.3.3 force oq k <<j, (3| k . □ 
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In the remaining part of the paper we will be concerned with the tree ordering as it is very 
simple to analyze and it is valid in every interpretation satisfying the conditions of theorem 6.2.5. 
However, the previous study suggests that the tree ordering is very close to the model ordering so 
that, for example, the decision algorithm that we discuss in section 4 for the former can be easily 
adapted to the latter. 



7. Coercions 

Coercions and subtyping are closely related topics; see for example [3], [6]. We now show 
that the standard coercions c a p between two types a<(3 are definable in an extension of the basic 
calculus. This can be interpreted as saying that subtyping does not add any expressive power to 
such calculus (only convenience). 

Then we show that the coercions implicit in a calculus with subsumption can be 
automatically synthesized. This fact is related to an algorithm for inferring the minimum type of 
a term. 

7.1 Definability. 

In this section we show how to associate with each successful execution tree a X-term whose 
denotation in the model is a coercion, that is, the unique map between the corresponding types 
that is realized by the identity. 

7.1.1 Building the A,-term. 

We can show that if we consider types up to tree equivalence, =p , then for every initial goal 
£,£ 3t<s such that h A E,£3t<s there is a term M(x 1; x n ) : (t— >s,£> where E = {t^sj, t n <s n } 
and Xj (i=l,..,n) are the free variables of M of type (tj— >Sj,e). 

For the sake of readability the type labels on bound variables and on the fold and unfold 
constants are often omitted. 

We recall that it is possible to define afixpoint combinator as follows: 
Y=Xf«^« .(lx^-^ a . f((unfold x)x)) (fold^"-** f ((unfold x)x))): (a^a)^oc. 

Proceed by induction on the structure of the execution tree (see 4.2.1). We refer to 4.1.7 for 
the properties 1..6, of the translation <-,-): 

Case (assmp) x^ s ^\ 

Case(±) Xx- 1 -. Y(Xx<M. x) : U->p\e) = T ±->(p\e> by 1,5. 
Caseij) Xx<a,e>. Y(Xx T . x) : <a^T,e> = T <a,e)^T by 2,5. 
Case (var) Xx a . x : (a— >a,e) =j a— >a by 3,5. 

Case(-+) Afta-»P> e >. Xx<<*'A M 2 (f(M : (x))) : <(a^(3)^(a'^(3'),e> by 5. 
where by induction hypothesis M 2 : (|3— >|3',£) and Mi : (a'— >oc,£>. 

Case (|i) by induction hypothesis we have M(x^^ s ^) : (e(t)^e(s), e); 
by 4, 5 (t— >s,e) =x (e(t)— >e(s), e) therefore we can type a term: 
Y(Xy< £ ( t )->e(s), e>. M(y)) : (e(t)->e(s), e> = T (t->s,e), by 4. 
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Remark 

In a similar fashion one can associate a X-term with a proof of the judgment r30C<|3 in 
the system in 5.3 . The only difficulty arises for the rule (|J. R ). Suppose we have inductively 
built a term MCx 1 ^) : a(t)— >|3(s) then it is possible to transform it into a term M'(x^ t ot ^ s P) 
: [ut.a/t]a^[us.p7s]p\ The term associated with the conclusion of the (ll ) rule can be 
defined as: 

Y(XxUt.a^is.p tyut.a ( fold (M"(x)(unfold y)))) 

7.1.2 Proposition ( Coercions are definable) 

Let a, (3 e Type and suppose a<^|3. Let M be the term associated in 7.1.1 with the execution 
tree of 0,EauE|3 zd a*<(3*. Then the denotation of the term in the model is the unique coercion 
map from the interpretation of a to the interpretation of (3. 
Proof. 

Since we have not given the term interpretation explicitly (see [1]), we can only sketch an 
idea of the proof. 

In the first place we need some facts about the interpretation of terms: 

(a) By erasing the type information and the constants fold, unfold from a typed term M, we 
obtain an untyped X-term er(M). We denote these untyped X-terms with P, Q, .... It is a basic 
property of these interpretations that the interpretation of er(M) gives a representative for the 
equivalence class that corresponds to the interpretation of M. We shortly refer to this fact by 
saying that eriM) is a realizer for M. 

(b) Showing that the interpretation of M is a coercion from a to |3 means proving that the identity 
map, id, is a realizer for M. Equivalently id and er(M) are equivalent in a— >p\ Note that here and 
in the following for the sake of readability we simply refer to syntactic objects but we really 
intend to speak of their denotations in the model. 

(c) The realizer for Y is an element Fix with functionality: Xg. \_\ g n (J-rj )• 

In order to prove the theorem by induction on the structure of the execution tree one needs to 
generalize somewhat. 

In the first place one observes that if in the execution tree of 0,E3t<s we never use (assmp) 
then the interpretation of the associated term M : (t— >s,e) is a coercion in (t— >s,£>. 

However, this is not enough to make the induction go through in the case where the term 
M(x s ) really depends on the assumption variable. One has to observe that M(x s ) also enjoys a 
property of contractiveness. 

Let us suppose that is the last rule applied. By construction assume we have a term M(x) 
that is a functional from coercions to coercions. We would like to show that Y(Xx.M(x)) is still a 
coercion. 

Observe that after a rule we always have a (— >) rule. Therefore the term M(x) has the 
structure Xf.Ay.M 2 (x)(f(M j (x)y )) . 

Now observe that a realizer for Y(Xx.M(x)) will be something like Ug'X-'-D ) f° r 
g=Xx.Xf.Xy.P2(x)(f(P 1 (x)y)) where Pj is a realizer for M[ (i=l,2). We have to show that this 
realizer is equivalent to id in a type with the structure C=(A=>B)=>(A'=>B'), where A=>B = 
exp(A, B). Since the type is a complete per, it will be enough to show that for each n g n (± D< J is 
equivalent to id in the appropriate type. 
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To do this we need a last remark, Denote with A| n the approximation at the n-th level of the 
cuper A as in 6.2. One observes that if (P, id)e C| n then (g(P), id) e C| n+ j . This follows easily 
from the structure of g and the assumption (6.2.3). Hence we have Vn. (g n (± D ), id)eC| n that 
implies (Ug n (± D J, id)eC. □ 

7.2 Inference 

Let A"^ 1 be the calculus in section 2. Given a term in A - ^ 1 , possibly not typeable, we are 
interested in the problem of determining if it can be well-typed modulo the insertion of 
appropriate coercions. 

We refer to this problem as coercion inference. We will define a simple algorithm that, given 
a term M, succeeds exactly when M is typeable modulo the insertion of coercions. In this case 
the algorithm returns the least type among the types that can be assigned to M. 

A similar problem was solved in [2] for a second-order lambda calculus with records, and in 
[18] for a second-order lambda calculus including a form of bounded quantification. 

All these results rely on the structural properties of the subtype relation that are stated, in this 
case, as Proposition 7.2.4. 

Notation. 

In this section a 5 (3 and a - (3 are shorthands for Toc^TP and Toc=Tp\ 

7.2.1 Typing modulo coercions 

We can formalize the idea of typing modulo coercions in two ways: 

(a) Subsumption. Add to the typing system in 2.2 and 3.1 the following rule based on the 
tree order The version based on < fin is often referred to as Subsumption: 

(SubJ M: a, a^(3 => M: (3 

We denote formal derivability in this new system with l~sub- 

(b) Explicit Coercions. Extend the term language with a collection of constants {c a p I a, (3 
types} and add to the typing system in 3.1 the following rule: 

(ExpCoeO M: a, a^|3 => (c a ^M): (3 
Denote formal derivability in this new system with h c , and denote the corresponding term 
language with A~^ c . Moreover, denote with er c (mnemonic for erase coercions) the obvious 
function that takes a term in A^M- 0 , erases all the constants c a p, and returns a term in ArH 1 . 

The use of these rules is justified by the finitary axiomatization of ^ given in section 5. 
Note that in both these systems the (fold^ a M) and (unfold^ a M) terms become redundant. 

7.2.2 Definition (coercion inference) 

We define inductively on the structure of the term M in A"^ a function 4 
CI: (Ar^) -> (X^ c u { FAIL } ) (CI for coercion inference) 
that either fails or returns a well-typed term N in A - ^ 0 such that er c (N) = M. 
The clauses (fold), (unfold) have priority on the clause (apl). 



"Actually the following specification determines a class of algorithms that suffices for our purposes. 
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(var) CI(x a ) 4 x« 

(abs) CI(Xx«.M) = if CI(M) : p then Ax«.CI(M) else FAIL 

(apl) CI(MN) 4 

if CI(M) : a' and CI(N): y then 

if a' - a^(3 and y 5 a then (c a > ?a _^p CI(M))(c y a CI(N)) 
else if a' - ± then (c a < a ^ ± CI(M)) CI(N) else FAIL 

else FAIL 

(fold) CI(fold^ t a M) 4 

if CI(M): (3 and (3 3 ut.oc then 

fold Ht-a (c P,[^t.a/t]a CI ( M )) 
else FAIL 

(unfold) CI(unfold^ t a M) 4 

if CI(M): (3 and (3 5= ut.oc then 

unfold ^t.a( c (3^t.a CI ( M )) 
else FAIL □ 

Clearly CI can also be used to define an inference algorithm for hsutv j ust consider the type 
of the term synthesized by CI. We prove in 7.2.5 that this algorithm computes the minimal type 
of a term (if any). To achieve this result we need the following simple properties. 

7.2.3 Proposition 

Let M be a term in then: 

(1) h Sub M : a iff for some N: h c N : a and <?r c (N) = M. 

(2) If CI(M): |3 then er c (CI(M)) = M. 
Proof 

(1) Every introduction of an explicit coercion corresponds to an application of sub sumption 
and vice versa. 

(2) By induction on the definition of CI. □ 

7.2.4 Proposition 

Let a, (3, ... be recursive types then: 

(1) If a ^ Pi— >P 2 then either a - ± or a - o^— >a 2 , Pi ~ otj, and a 2 ~ P 2 . 

(2) If ai->a 2 5 P then either P - t or P - Pi->P 2 , Pi 5 a l5 and a 2 5 P2. 
Proof 

(1) a can be rewritten, by unfolding, to an equivalent type of the shape ±, T, t or 0Ci— >0C 2 . The 
definition of the tree ordering and the hypothesis a 5 Pi^P 2 lead to the conclusion by a simple 
case analysis. 

(2) Analogous. □ 

7.2.5 Theorem (Terms have a least type) 

Let M be a term in Ar^ then h Sub M : a implies CI(M):P and P S a. 
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Proof 

By induction on the structure of M. 
C(N) is a meta-notation for ca n .j a n (...(caj a 2 N)..), where: N: (Xi, n>l, 0Cj ^ oCj+j. 
By virtue of 7.2.3.(1) we may equivalently assume the existence of a well-typed term N in Tc^V- 0 
such that er c (N) = M. 

Observe the crucial role of property 7.2.4 in proving the rather surprising fact that the algorithm 
is complete in the sense just stated above. 

Case M = xP. 

If er c (N) = xP then N = C xP : a and (3 £ a . On the other hand CI(xP) = xP:(3. 
Case M = (Axoc.M'). 

If er c (N)=Ax«. M' then N=C (Xx a . N'): J, er c (N')=M', and N':p'. 

By induction hypothesis CI(M') : (3 and (3 S (3', hence by definition. CI(Xx a .M') : a->(3. Note 
that a— >P' :£ yby definition of N and this implies (by 7.2.4) either y — T (and in this case we are 
done as a— >|3 5 t) or y - y^— >y 2 , Yi ~ a an d P' ~ Y2 • 
In the latter case |3 5 P' ~ Y2 implies a— >P 5 y. 

Case M=(M 1 M 2 ). 

If er c (N)=M 1 M 2 then N = QN^): y, er c (Nj) = Mj i=l,2, N : : Yl^Y2> N 2 : Yl- 

By induction hypothesis CI(Mj) : Pj i=l, 2 , P : S Yi->Y 2 and P2 ~ Yl- 

From (7.2.4) follows that - ± or p : - Pi'->Pi", Yl ~ Pi', Pi" =S Y2 • 

In the first case CICMjM^) : J- and we are done. 

In the second CltM^) : Pi" as P2 ^ Yl ~ Pi'- 

Finally observe: Pj" ~ Y2 ~ Y 

Case M= (fold^t a M'). 

If er c (N) = fold Rt a M' then N = C(fold N'): Y er c (N') = M\ N': [|it.a/t]a=y', Y' ~ Y By 
induction hypothesis CI(M'): P' , P' ~ y'. Hence by definition, CI(fold M'): (it.a and we have 
(it.a - y' s y. 

Case M=(unfold^ t _ a M'). 
Analogous. □ 

Remarks 

7.2.6 One can think of substituting the explicit coercions with the definable coercions 
constructed in section 7.1. The resulting term is now typeable in an extension of the calculus 
in section 2 including the rule: M:a, a=P => M:p. 

We recall that this rule is soundly interpreted by the model. 

7.2.7 Observe that in general there are many possible well-typed terms of the same type 
to which the erase-coercions map assigns the same term, that is: 

h c Ni : a , h c N 2 : a and er c (N : ) = er c (N 2 ) 
However, Nj and N 2 receive the same interpretation in the model. 
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It is an appealing aspect of our semantic approach to the interpretation of subtyping that 
many hard coherence problems (see [18]) simply disappear by recalling the uniqueness of the 
coercion in the model. 

7.2.8 The following is a trivial example of a term that can be typed in the type system 
with subsumption but not in the system described in 2.2: h Sub XP^ S . Xx 1 . (Xy T . x)(f x): 
(t->s)->t . 



8. Conclusion 

We have used a subtyping relation based on infinite trees as the central concept of our work. 
In our experience this relation has arisen naturally, giving insights about both the subtypings 
valid in certain per-models and the behavior of the Amber implementation. In fact we have 
shown that this relation can be used to characterize sound and complete theories for a certain 
class of per models and that it can be simply and efficiently implemented. We have also shown 
the soundness and completeness of certain rules and the definability of coercions within the 
calculus (modulo a strengthening of the notion of type equality). Finally, we have observed that 
the whole process of inferring coercions and minimal types can be automated. 

In conclusion, let us consider the problem of the extension of our results. 

The notions of tree expansion and finite approximation (section 3) can be easily adapted to 
larger languages, both with first-order type constructors like products, sums, records and 
variants, and with higher-order type constructors like second-order universal quantification. The 
important point is that the tree resulting from the expansion is regular. Under this assumption it 
seems possible to adapt algorithms and rules to obtain results of soundness and completeness 
(sections 4, 5). Caution is necessary in extensions to bounded quantification since some of those 
systems are undecidable [24]. 

About the relationship between the tree ordering and the model, we expect the extension of 
the soundness theorem (6.2) to be straightforward. On the other hand we expect technical 
problems from the completeness theorem (6.3) when introducing higher-order type constructors 
like second-order universal quantification. In particular, in this case, it is not clear how to extend 
the separation lemma (6.3.3). 

The result on the definability of the coercions has already been obtained for several calculi 
with records, variants, and bounded quantification (but without recursion). It is a reassuring 
result that shows that the subtyping theory is in good harmony with the calculus. 

The fact that terms have a least type has a clear impact on the implementation of the type- 
checker. This appears to be a very desirable property towards an automatic treatment of 
coercions. The result, at the present state of the art, clearly relies on the structural properties of 
the subtyping relation. 

Finally, we observe that challenging extensions arise when dealing with non-ground 
collections of subtyping assumptions (see [3]). In this case much work remains to be done. 
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